Create a high-level landing page for Jupyter security

[rcthomas]

As a first issue I thought I'd suggest we follow through with a suggestion from @fperez during last week's Governance office hours, and create a high-level landing page such as "jupyter.org/security," similar to how ASF has a landing page at www.apache.org/security/ (thanks Sharan for the link). That page

• Explains there is a team that provides help and advice to their projects and coordination on handling issues
• Describes how vulnerabilities are reported (Jupyter projects have a few places where this is discussed)
• Provides information on published vulnerabilities
• Description of vulnerability handling process

The security landing page could provide links to resources on subprojects beyond that, or links to documentation about securing Jupyter deployments, or maybe reference a document that pulls these links together. Some great examples highlighted at the jupyter-server meeting last week include (probably not an exhaustive list):

• https://jupyter-server.readthedocs.io/en/latest/operators/security.html
• https://jupyter-notebook.readthedocs.io/en/stable/security.html
• https://jupyterhub.readthedocs.io/en/stable/reference/websecurity.html
• https://www.cvedetails.com/vulnerability-list/vendor_id-15653/Jupyter.html

[rpwagner]

@rcthomas I've drafted a barebones page in a fork of Jupyter repo. https://github.com/rpwagner/jupyter.github.io/blob/master/security.md

[Carreau]

+1,

I'm unsure about the PGP key, I've never used it and don't know who has access to it. Maybe @ivanov does ?

Maybe we should also list security vul, reporters in a hall of fame later on this page.

We should also mention the ipython-security google group for semi-private security discussion and advanced notice.

[Zsailer]

@Carreau, maybe people on the steering council have access to this key? Would you mind sending an email to the SC to see if anyone does and if they can work with this group to find a good home for it?

[Carreau]

Would you mind sending an email to the SC to see if anyone does and if they can work with this group to find a good home for it?

From diggin in archives it looks like @minrk and @takluyver also have the key, so might help with sharing it. Even with the key i'm unsure how I would decrypt. And with my understanding of crypto I would prefer to have something else than a single key where we share the master. Can we have a master key that list multiple subkey so that each person on the security mailing list can decrypt independently and be revoked ?

[rcthomas]

At the Friday meeting we decided @rpwagner would finish this up and submit a PR hopefully this week to get the basic page in place and then we can start working on new issues for it

[rcthomas]

It's live: https://jupyter.org/security. Thanks @rpwagner for setting this up and @choldgraf and @Carreau for review/merge!