Create a model for security.txt

[blink1073]

cf https://github.com/jupyter-server/jupyter_server/issues/249

We should have a standard method for handling security.txt files.

Note that the one used by our main website is from the notebook project. Should the encryption file be generated per project?

[Carreau]

O don't think we need a per project encryption as vuln can anyway be across projects.

On Mon, Aug 30, 2021, 04:31 Steven Silvester @.***> wrote:

cf jupyter-server/jupyter_server#249 https://github.com/jupyter-server/jupyter_server/issues/249

We should have a standard method for handling security.txt https://en.wikipedia.org/wiki/Security.txt files.

Note that the one used by our main website https://github.com/jupyter/jupyter.github.io/blob/b954bd1f39b449991c6e4df559964019878c5e74/.well-known/security.txt is from the notebook project. Should the encryption file be generated per project?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jupyter/security/issues/3, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACR5T4A4Q5EJXOVW7CTSYLT7NTX7ANCNFSM5DBVQV5Q .

[rpwagner]

I agree, we should limit the number of encryption keys, but have a simple policy on how to manage them.

I submitted a minimal SECURITY.md for JupyterHub. Something like this could be part of a repository template.