|
| 1 | +## January 17, 2023 |
| 2 | + |
| 3 | +| Name | affiliation| username | |
| 4 | +| -------------------| -----------| -----------------| |
| 5 | +| Jason Weill | AWS | @JasonWeill | |
| 6 | +| Matthias Bussonnier| Quansight | @carreau | |
| 7 | +| Rollin Thomas | NERSC | @rcthomas | |
| 8 | +| Jason Grout | Databricks | @jasongrout | |
| 9 | + |
| 10 | +- Security email addresses |
| 11 | + - [email protected] — Google Group, limited membership. |
| 12 | + - This is a limited-membership list, if someone ask to be put on it, we do a cursory check they are a real person and add them it is mostly meant for advance warning we are going to publish a release that fix a CVE and minor sec discussion. |
| 13 | + - 75 members now |
| 14 | + |
| 15 | + - This is a forward email maintained by XXXX, that only allow up to 10 members, it is meant for security reports. |
| 16 | + - Action items: |
| 17 | + - Formalize policy around who gets on these lists |
| 18 | + - Maybe set up new [email protected] reporting email? |
| 19 | + - widen the [email protected] receivers to spread the load |
| 20 | + |
| 21 | +- Bug bounty recommendation (intigrity, etc) |
| 22 | + - Jupyter as a software may not be a good fit for Intigrity. What Intigrity is offering is that if you have a service you sell with an API, we ask our researchers to pentest your service. If it's software that you install on your machine, it doesn't really fit the Intigriti model, which seems to |
| 23 | + - What services do we actually run? |
| 24 | + - nbviewer - no authentication, purely displays content, so not really applicable |
| 25 | + - binder |
| 26 | + - A difficulty is that some people we are talking with are in the European Union, others are from Intigriti |
| 27 | + - Action item: |
| 28 | + - Jason G to email Intigriti, to confirm whether this is a good fit, based on previous conversations |
| 29 | + - If it is a good fit, Jason G to email SSC to see what subprojects are interested, then forward that on to Intigriti |
| 30 | + |
| 31 | +- Recent reports |
| 32 | + - How do we manage security reports coming in? |
| 33 | + - Several options: |
| 34 | + - Security reports per subproject |
| 35 | + - Security reports in a centralized Project Jupyter repo |
| 36 | + - Security reports in a repo per subproject |
0 commit comments