The Jupyter Security Subproject exists to provide help and advice to Jupyter users, operators, and developers on security topics and to help coordinate handling of security issues.

If you believe you've found a security vulnerability in a Jupyter Subproject, you can either:

• directly open a GitHub Security Advisory (GHSA) in the relevant repository
• report it to security@ipython.org if opening a GHSA is not possible, or you are unsure where it will belong.

If you prefer to encrypt your security reports, you can use this PGP public key.

Known vulnerabilities are tracked using the CVE vendor ID 15653 for Jupyter.

GitHub provides alerts about vulnerable dependencies. If your supply chain includes Jupyter projects, these alerts can help you respond to vulnerabilities quickly and easily.

Several Jupyter projects maintain security-related documentation regarding usage or deployment of Jupyter software.

• jupyter-server
• jupyterhub

We are working to identify and coordinate security efforts across the Jupyter community and within all the various subprojects. The Jupyter Security GitHub repo has information how to participate and contribute. For discussion, please use the special Discourse security topic on the Jupyter Discourse server.