The Jupyter Security Subproject exists to provide help and advice to Jupyter users, operators, and developers on security topics and to help coordinate handling of security issues.

Reporting vulnerabilities

If you believe you’ve found a security vulnerability in a Jupyter Subproject, you can either:

  • directly open a GitHub Security Advisory (GHSA) in the relevant repository
  • report it to security@ipython.org if opening a GHSA is not possible, or you are unsure where it will belong.

If you prefer to encrypt your security reports, you can use this PGP public key.

Vulnerability information

Known vulnerabilities are tracked using the CVE vendor ID 15653 for Jupyter.

GitHub provides alerts about vulnerable dependencies. If your supply chain includes Jupyter projects, these alerts can help you respond to vulnerabilities quickly and easily.

Security documentation

Several Jupyter projects maintain security-related documentation regarding usage or deployment of Jupyter software.

Community resources

We are working to identify and coordinate security efforts across the Jupyter community and within all the various subprojects. The Jupyter Security GitHub repo has information how to participate and contribute. For discussion, please use the special Discourse security topic on the Jupyter Discourse server.

vendor assessments

Jupyter cannot provide, or fill in “Plan-Risk Assessment”, “Hecvat”, “Vpat” and similar vendor assessing questionnaire.

You likely have been redirected to this section after contacting the Jupyter security team to fill in a questionnaire about the security best practice of your Jupyter “vendor”, and to assess the Jupyter “product”.

The Jupyter Team and Jupyter Security team are not vendors, and cannot act as a vendor. To be a vendor Jupyter would need to have a contractual relationship with you, which we do not have.

Your questionnaire also likely ask how your ‘vendor’ store your informations (user information, billing information, contact…); who has access to it; and how they are vetted… etc. The Jupyter team does not have any contact or billing information; nor do we collect; store or have access to any of the information about how your Jupyter user use Jupyter, or what they do in Jupyter; the Jupyter Team is not aware either of who installs Jupyter.

  • If you use a service provider for Jupyter; they are your vendor, and can answer those questions.

  • If you self-host Jupyter, then it is likely to your IT team to fill in those assessment as all the data is controlled by your IT team.

  • If you still do need a vendor assessment we advise you to contact one of the many companies that provide Jupyter support; We cannot unfortunately give you names out of fairness.