Open krassowski opened 6 months ago
Carreau
commented
6 months ago I agree, though this feature is relatively recent hence why it was not considered before. And one of the issue is if the report is opened on the wrong org, it can't be transfered.
minrk
commented
5 months ago 👍 from me.
Sure, transferring reports is a bit of a pain (I recently moved some), but not too bad and not really worse than transferring from the email reporting. Notifications to the right people are also a lot better handled on the GitHub advisories.
Carreau
commented
4 months ago I think we should try to have a list of orgs/repos and/or a script to check on which ones this is enabled.
I had to also recently enable it on jupyterlab
Problem:
security@ipython.orgemail is a slow and annoying (see below) method of dealing with vulnerability reportsThe current method:
Proposed solution: encourage orgs to enable private security reporting which is supported by GitHub since November 2022 (https://github.blog/changelog/2022-11-09-privately-report-vulnerabilities-to-repository-maintainers/), which is documented in https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability This cuts out middle man, stops friction between jupyter security and maintainers, solves the problem (yes, maybe naive but I believe this should be seriously explored)
I had previously attended two Jupyter Security team meetings where this topic was discussed. Unfortunately the notes in the repo were not updated recently.