European Commission Funds Jupyter Bug Bounty Program

Three Jupyter Subprojects – Jupyter Server, JupyterLab, and JupyterHub –are participating in a bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

Intigriti is a cybersecurity company that specializes in crowdsourced security services like bug bounty programs, hybrid penetration testing, and hosting live hacking events. The financial support covers bounties from €250 to €5,000 and is part of the European Commission’s Open Source Software Strategy 2020–2023, which:

Promotes the sharing and reuse of software solutions, knowledge and expertise, to deliver better European services that benefit society and lower costs to that society. The Commission commits to increasing its use of open source not only in practical areas such as IT, but also in areas where it can be strategic.

This is a great opportunity for Project Jupyter to reduce the number of potential vulnerabilities in critical Jupyter components and to evaluate our vulnerability handling processes.

Project Jupyter was selected for sponsorship at the end of 2022. After discussions involving several Jupyter Subprojects and other stakeholders, the three Jupyter software components were chosen for inclusion. Representatives from Jupyter Server, JupyterLab, and JupyterHub have committed to validating and responding to submissions for their area. Focusing on a limited number of key Jupyter components was a way to balance the benefits of identifying vulnerabilities against developer obligations to review vulnerability submissions. The Jupyter Security Subproject is contributing to this effort by drafting the bug bounty program details and being a liaison between Intigriti and the other Jupyter Subprojects.

Submissions are triaged by Intigriti, including reproducing potential vulnerabilities and assigning a severity. The triage process ensures that submissions fall within the scope (software components, versions, etc.) defined by the program. Vulnerability severity is based on Intigriti’s contextualized Common Vulnerability Scoring System (CVSS) and assigned a rating of low, medium, high, critical, or exceptional. The severity determines both the bounty and the response time for Project Jupyter to validate a submission. After a submission passes triage, it is sent to Project Jupyter for validation.

Project Jupyter appreciates the financial support from the European Commission and the help by Intigriti representatives to establish the program. Security researchers and others interested in the bug bounty program can view the details on the Intigriti website.