Create 2023-12-19.md

Add 2023-12-19 notes

Author: rcthomas

meetings/2023-12-19.md

@@ -0,0 +1,21 @@
+# Jupyter Security Bi-weekly Meeting
+
+## Dec 19th, 2023
+
+| Name               | affiliation| username     |
+| -------------------| -----------|--------------|
+| David Qiu          | AWS        | @dlqqq       |
+| Rick Wagner        | UCSD       | @rpwagner    |
+
+- David: Rick proposed refining and outlining the existing security vulnerability process. It would involve a stakeholder from each subproject.
+    - I suggest that we also have a triage group for this to avoid generating noise. That is, if you receive a notification, it will be very likely that this vulnerability affects your project, and that this demands your attention.
+    - Rick suggests using GitHub's security vulnerability reporting process. We should investigate 1) when this sends notifications, and 2) who is notified in this process.
+    - I can help with another draft of the vulnerability reporting process.
+    - https://github.com/jupyter/security/blob/main/docs/vulnerability-handling.md
+
+- Mike: https://github.com/jupyter/notebook/pull/7153/files
+    - Cross-linked in security repo: https://github.com/jupyter/security/issues/72
+  - David: I agree that GH Actions are sort of dangerous by default. But the real problem isn't that we need to hashpin, but that I'm not aware of any tool that helps with this.
+ 
+- Mike: Perhaps we should invite https://github.com/diogoteles08 to one or our meetings in the future.
+    - David: I agree with this; let's build a bridge if possible.