-
-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Participating in Security Bug Bounty program #174
Comments
During the JupyterLab dev meeting today, we had the following notes:
|
CC @jupyterlab/jupyterlab-council |
I would be in favor of targeting
I propose that @3coins and @dlqqq take care of the official response to Jason G. to highlight their leader role for this.
|
@jasongrout I am planning to discuss this in the Jupyter Security meeting on Tuesday, 8-9am to get more info on where to record and triage these bug reports. I can get started on the installation and reporting instructions after this. |
I don't know of any requirements for a specific platform. |
@3coins we miss the opportunity of the last weekly call to talk about this. Do you have enough information to respond to Jason by Sunday? |
Yes, I have put together a doc for jupyterlab, jupyterlab-server. I will sync up with @Zsailer on jupyter-server and other server components later today. |
@jasongrout |
Thanks @3coins. I'm compiling the information and will contact the people that are listed as contacts about next steps. |
We have the opportunity to participate in a bug bounty program, funded by the European Commission and run by Intigriti. The idea is that security researchers would look at a set of packages we decide over a period of 6-8 weeks and look for security issues. Researchers that find a security issue submit the bug report and possibly a fix to Intigriti, then Intigriti vets the reports and passes the high-quality reports on to JupyterLab. If we verify the severity (and if there is a fix proposed, the fix), then Intigriti pays out a bounty to the researcher.
In JupyterLab, our responsibilities would be to:
This 6-8 week program would start soon, perhaps sometime in February 2023.
Questions to answer:
I sent an email to the JupyterLab Council asking for answers to the following questions by Feb 5, 2023 (AoE):
Note that you don't have to be on the JupyterLab Council to help assemble this information or respond to bug reports.
The text was updated successfully, but these errors were encountered: