We provide security updates for the following versions:

We take the security of Zero to AI seriously. If you discover a security vulnerability, please follow these steps:

Please do not create a public GitHub issue for security vulnerabilities. This could put users at risk.

Send a detailed report to:

• GitHub Security Advisories: Report a vulnerability
• Email: Create a private issue or use GitHub's security advisory feature

• Description: Clear description of the vulnerability
• Impact: Potential impact and severity
• Steps to Reproduce: Detailed steps to reproduce the issue
• Affected Components: Which notebooks, scripts, or dependencies are affected
• Suggested Fix: If you have ideas for fixing the issue
• Your Contact Info: How we can reach you for follow-up

In the context of this educational repository:

• Malicious code injection in notebooks
• Dependencies with known security vulnerabilities
• Scripts that could expose sensitive information
• Unsafe code patterns that could harm users' systems
• Security misconfigurations in setup scripts

• General bugs or errors in notebooks
• Outdated package versions (unless they have CVEs)
• Missing features or enhancements
• Documentation errors
• Performance issues

1. Virtual Environments: Always use virtual environments to isolate dependencies

   conda env create -f environment.yml
   # or
   python -m venv .venv

2. Review Code: Review notebooks before running, especially those involving:

   • File system operations
   • Network requests
   • API calls
   • System commands

3. API Keys: Never commit API keys or sensitive credentials

   • Use environment variables
   • Add .env files to .gitignore
   • Use .env.example as a template

4. Dependencies: Keep dependencies updated

   pip list --outdated
   pip install --upgrade package-name

5. Data Privacy: Don't upload sensitive or personal data to public notebooks

When working with AI/ML APIs (OpenAI, HuggingFace, etc.):

# ✅ GOOD - Use environment variables
import os
api_key = os.getenv('OPENAI_API_KEY')

# ❌ BAD - Never hardcode keys
api_key = "sk-..." # NEVER DO THIS

When sharing notebooks:

1. Clear Outputs: Clear all cell outputs before committing
2. Remove Credentials: Check for accidentally committed keys/tokens
3. Sanitize Data: Remove or anonymize any personal/sensitive data
4. Review Imports: Be cautious with unfamiliar packages

We use automated tools to scan for dependency vulnerabilities:

# Using pip-audit
pip install pip-audit
pip-audit

# Using safety
pip install safety
safety check

If you discover a vulnerable dependency:

1. Check if it's already reported in GitHub Issues
2. If not, create a security advisory or private issue
3. Include the CVE number if available
4. Suggest an updated/alternative package if possible

When you report a security vulnerability:

1. Acknowledgment: We'll acknowledge receipt within 48 hours
2. Assessment: We'll assess the severity and impact
3. Fix: We'll work on a fix and test it thoroughly
4. Disclosure: We'll coordinate disclosure timing with you
5. Credit: We'll credit you in the security advisory (unless you prefer anonymity)

We will:

• Monitor dependencies for known vulnerabilities
• Update affected packages promptly
• Notify users of critical security issues
• Maintain a security changelog

• pip-audit - Python dependency scanner
• safety - Checks for known vulnerabilities
• bandit - Python code security analyzer

• OWASP Top 10
• Python Security Best Practices
• Secure Coding in Python

This security policy applies to:

• All code in this repository
• Dependencies listed in requirements.txt and environment.yml
• Setup scripts and configuration files
• Documentation that includes code examples

If you have questions about this security policy:

• Open a GitHub Discussion
• Create a non-sensitive issue for policy clarifications

Thank you for helping keep Zero to AI secure!

Last Updated: December 2025