From 0c299b0e484ec892e2715106f993eddef78139b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Krassowski?=
 <5832902+krassowski@users.noreply.github.com>
Date: Thu, 12 Jun 2025 18:45:18 +0100
Subject: [PATCH 1/2] Update email to report the security vulnerabilities

---
 security.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security.md b/security.md
index 148f88fa..6d479a16 100644
--- a/security.md
+++ b/security.md
@@ -14,8 +14,8 @@ of security issues.
 If you believe you've found a security vulnerability in a [Jupyter Subproject](https://jupyter.org/governance/list_of_subprojects.html),
 you can either:
 
- - directly open a GitHub Security Advisory (GHSA) in the relevant repository
- - report it to [security@ipython.org](mailto:security@ipython.org) if opening a GHSA is not possible, or you are unsure
+ - directly open a GitHub Security Advisory (GHSA) in the relevant repository (this is the preferred approach)
+ - report it to [security@jupyter.org](mailto:security@jupyter.org) if opening a GHSA is not possible, or you are unsure
    where it will belong.
 
 **We do not currently run bug bounty programs, and do not currently reward

From e53aaa695e60099fd5dfa57a7722128351974dd6 Mon Sep 17 00:00:00 2001
From: Chris Holdgraf <choldgraf@gmail.com>
Date: Fri, 13 Jun 2025 05:40:28 -0700
Subject: [PATCH 2/2] Apply suggestions from code review

---
 security.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/security.md b/security.md
index 6d479a16..8bbd8030 100644
--- a/security.md
+++ b/security.md
@@ -11,11 +11,11 @@ of security issues.
 
 ## How to report vulnerabilities
 
-If you believe you've found a security vulnerability in a [Jupyter Subproject](https://jupyter.org/governance/list_of_subprojects.html),
-you can either:
+To report a security vulnerability in a [Jupyter Subproject](https://jupyter.org/governance/list_of_subprojects.html),
+take one of these two actions:
 
- - directly open a GitHub Security Advisory (GHSA) in the relevant repository (this is the preferred approach)
- - report it to [security@jupyter.org](mailto:security@jupyter.org) if opening a GHSA is not possible, or you are unsure
+ 1. **Open a GitHub Security Advisory** (GHSA) in the relevant repository (preferred approach). See [the GitHub instructions for opening security advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability).
+ 2. **Send an e-mail to [security@jupyter.org](mailto:security@jupyter.org)** reporting the vulnerability. Only do this if opening a GHSA is not possible, or you are unsure what to do.
    where it will belong.
 
 **We do not currently run bug bounty programs, and do not currently reward