Please add yourself here:
| Name | affiliation | username |
|---|---|---|
| Rick Wagner | UCSD | @rpwagner |
| Matthias Bussonnier | Quansight | @Carreau |
| Rollin Thomas | NERSC | @rcthomas |
| Michał Krassowski | Oxford | @krassowski |
-
Meeting Expectations:
- For discussion of general Jupyter + security topics
- NOT for reporting or discussing specific vulnerabilities
- Appropriate place for reporting vulnerabilities:
-
Attendee Introductions
-
Trusted CI engagement update
- Focused on single server so far.
- Starting to look into hub
- "Research group cluster"
- Shared services/large cluster deployment
-
Documenting current vulnerability handling process
- See: #9
- Rick will start a document for tracking
- GitHub coordinated disclosure of security vulnerabilities
- OWASP Vulnerability Disclosure Cheat Sheet
-
Discuss current open issues, several are related
- NumFocus discussion (NumFocus-wide security)
-
Is the current pace typical?
- Kind of more of a blip
- Might be time of year
- HECVAT, not a vendor here, but can be a guideline for info we can provide
Discuss always adding Rollin and Rick to all Security advisories
- Updating blog post on ChaosDB?
- Core infrastructure badge project
- Suggested by Matthias:
- Recognition of people who have submitted actual CVE
- Supply chain attack and credential management as part of the org
- Raise Security specific funds that could be hold in a numfocus Security Specific Fund accounts