Merge pull request jupyter#413 from rpwagner/master

Carreau · web-flow · commit b6d299afb683 · 2021-09-10T09:38:18.000-07:00
Establish a /security page
diff --git a/_data/nav.yml b/_data/nav.yml
@@ -15,3 +15,5 @@ head:
     - title: Blog
       url: https://blog.jupyter.org
       newpage: true
+    - title: Security
+      url: /security
diff --git a/community.md b/community.md
@@ -57,11 +57,4 @@ a way that makes the community thrive.
 Below is a short list of gitter channels, email listservs, and github repositories
 where you can get involved. **We always welcome participation in the Jupyter community**.
 
-## Report vulnerabilities
-
-If you believe you've found a security vulnerability in a Jupyter project,
-please report it to [security@ipython.org](mailto:security@ipython.org).
-If you prefer to encrypt your security reports,
-you can use [this PGP public key](assets/ipython_security.asc).
-
 {% include community_lists.html %}
diff --git a/security.md b/security.md
@@ -0,0 +1,39 @@
+---
+layout: page_md
+title: Security
+tagline: Project Jupyter is committed to reducing risk in using, deploying, operating, or developing Jupyter software.
+permalink: /security
+---
+
+The Jupyter Security Subproject exists to provide help and advice to Jupyter
+users, operators, and developers on security topics and to help coordinate handling
+of security issues.
+
+## Reporting vulnerabilities
+
+If you believe you've found a security vulnerability in a Jupyter project,
+please report it to [security@ipython.org](mailto:security@ipython.org).
+If you prefer to encrypt your security reports,
+you can use [this PGP public key](assets/ipython_security.asc).
+
+## Vulnerability information
+
+Known vulnerabilities are tracked using the [CVE vendor ID 15653 for Jupyter](https://www.cvedetails.com/vulnerability-list/vendor_id-15653/Jupyter.html).
+
+[GitHub](https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies) provides alerts about vulnerable dependencies.
+If your supply chain includes Jupyter projects, these alerts can help you respond to vulnerabilities quickly and easily.
+
+## Security documentation
+
+Several Jupyter projects maintain security-related documentation regarding usage or deployment of
+Jupyter software.
+
+- [jupyter-server](https://jupyter-server.readthedocs.io/en/latest/operators/security.html)
+- [jupyterhub](https://jupyterhub.readthedocs.io/en/stable/reference/websecurity.html)
+
+## Community resources
+
+We are working to identify and coordinate security efforts across the Jupyter community and within all the various subprojects.
+The [Jupyter Security](https://github.com/jupyter/security) GitHub repo has information how to participate and contribute.
+For discussion, please use the special Discourse [security topic](https://discourse.jupyter.org/c/special-topics/security/48) on the Jupyter Discourse server.
+
