Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Participating in Security Bug Bounty program #174

Open
jasongrout opened this issue Jan 25, 2023 · 9 comments
Open

Participating in Security Bug Bounty program #174

jasongrout opened this issue Jan 25, 2023 · 9 comments
Labels
vote

Comments

@jasongrout
Copy link
Contributor

jasongrout commented Jan 25, 2023
edited
Loading

We have the opportunity to participate in a bug bounty program, funded by the European Commission and run by Intigriti. The idea is that security researchers would look at a set of packages we decide over a period of 6-8 weeks and look for security issues. Researchers that find a security issue submit the bug report and possibly a fix to Intigriti, then Intigriti vets the reports and passes the high-quality reports on to JupyterLab. If we verify the severity (and if there is a fix proposed, the fix), then Intigriti pays out a bounty to the researcher.

In JupyterLab, our responsibilities would be to:

  1. Decide what packages are in scope.
  2. For each package, give:
    • Download and install instructions
    • Instructions for reporting bugs (for example, we may turn on the security reporting infrastructure that GitHub provides, either for individual packages or for the JupyterLab GitHub organization)
  3. Be responsive to bug reports during this 6-8 weeks. Responsive means (a) verifying the severity and (b) if there is a proposed fix, vetting the fix.

This 6-8 week program would start soon, perhaps sometime in February 2023.

Questions to answer:

I sent an email to the JupyterLab Council asking for answers to the following questions by Feb 5, 2023 (AoE):

  1. Does the JupyterLab subproject want to participate?
  2. What packages are in scope? (And for each package, assemble the information indicated above)
  3. What is a person or people that can serve as points of contact? These people would be making sure the process went smoothly, i.e., that bug reports were being responded to and could field questions from Intigriti about the process.

Note that you don't have to be on the JupyterLab Council to help assemble this information or respond to bug reports.
@jasongrout jasongrout added bug Something isn't working vote and removed bug Something isn't working labels Jan 25, 2023
@jasongrout
Copy link
Contributor Author

During the JupyterLab dev meeting today, we had the following notes:

  • Who wants to be the contact point? [role is to monitoring that the process runs smoothly]
    • Piyush and David Q. are volunteer for being the contact point
    • Helpers for reviewing the security reports:
      • Mike
      • Frederic
      • Andrii
      • Piyush
      • David Q.
  • What target:
    • 3.x or 4.x?
    • jupyterlab, jupyterlab-server?
    • [mike] Should we target JLab desktop, jupyterlab-git,...
  • What they need:
    • At the beginning
      • How to install?
      • How to report? -> using GitHub CVE report
      • Point of contact person/people
    • During the hunt period, the contact must be responsive to their query.
  • Please respond by Feb 5

@jasongrout
Copy link
Contributor Author

CC @jupyterlab/jupyterlab-council

@jtpio jtpio mentioned this issue Jan 26, 2023
Closed
@fcollonval
Copy link
Member

I would be in favor of targeting jupyterlab and jupyterlab-server with 4.0.0 (latest alpha - maybe beta if the hunt starts end of February). We could extend the scope but I fear that we will have trouble to keep up with the report. Or if we can set priority, then:

  1. jupyterlab and jupyterlab-server for 4.0.0
  2. jupyterlab and jupyterlab-server for 3.6.x
  3. ...

I propose that @3coins and @dlqqq take care of the official response to Jason G. to highlight their leader role for this.

Thanks Jason G. for opening the issue

@kevin-bates kevin-bates mentioned this issue Jan 27, 2023
Closed
@3coins
Copy link

3coins commented Jan 30, 2023

@jasongrout
Thanks for opening this issue. Are we expected to target any specific platforms (Unix/Windows/MacOS)?

I am planning to discuss this in the Jupyter Security meeting on Tuesday, 8-9am to get more info on where to record and triage these bug reports. I can get started on the installation and reporting instructions after this.

@jasongrout
Copy link
Contributor Author

Are we expected to target any specific platforms (Unix/Windows/MacOS)?

I don't know of any requirements for a specific platform.

@fcollonval
Copy link
Member

@3coins we miss the opportunity of the last weekly call to talk about this. Do you have enough information to respond to Jason by Sunday?

@3coins
Copy link

3coins commented Feb 3, 2023

Yes, I have put together a doc for jupyterlab, jupyterlab-server.
https://hackmd.io/Dw6hYec_Qeu4sX4TdTkubQ

I will sync up with @Zsailer on jupyter-server and other server components later today.

@Zsailer Zsailer mentioned this issue Feb 3, 2023
Closed
@3coins
Copy link

3coins commented Feb 5, 2023

@jasongrout
This doc should have all the info needed for the bug bounty program. Let me know if you need anything else.
https://hackmd.io/Dw6hYec_Qeu4sX4TdTkubQ

@jasongrout
Copy link
Contributor Author

Thanks @3coins. I'm compiling the information and will contact the people that are listed as contacts about next steps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
vote
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jasongrout @3coins @fcollonval