Participating in Security Bug Bounty program

[Zsailer]

At yesterday's meeting, we discussed Jupyter Server's participation in the a Security Bug Bounty program offered to Jupyter subprojects sponsored by the European Commission. Read more about it from @jasongrout's thread on the JupyterLab Team Compass page.

We elected to participate in this program, starting as soon as possible. I'll be sending the email today to enlist ourselves.

I (@Zsailer), @3coins, @jess-x, @andrii-i, and (when available) @kevin-bates agreed to help triage any issues that are created by this program.

The following repos will be added to the program:

• jupyter_server
• jupyverse
• enterprise_gateway
• jupyter_client (in collaboration with the Jupyter Standards team)

[3coins]

@Zsailer I noticed that you have mentioned security group email as the route for reporting security reports. Using the group email for reporting bugs from all projects might be chaotic. Should we rather use the Github's CVE process to document these bugs? There are 2 advantages:

1. We will have a dedicated place to track bugs by project, for cross project bugs, we can ask to report on the jupyter/security project.
2. Reporters are less likely to report spurious data as the Github's CVE form has some expected inputs so provides some structure for the reporter to add data.

[Zsailer]

Closing, since the bug bounty program is finished. Thanks all!