Clarify delegation of security-related policies to the Security Subproject

[afshin]

The Jupyter Security subproject, as currently recognized in the governance docs, has the same rights and responsibilities as other Jupyter subprojects. But the nature of the work they do (cf. a draft charter) often cuts across multiple subprojects and would ordinarily require either:

• a Jupyter Enhancement Proposal (JEP) for the SSC to vote on
• a change to these governance docs for the SSC + EC to vote on

To improve the friction this process can cause in creating coherent security strategies, we should update these governance docs with a short mission statement to indicate the consent of the EC and the SSC to delegate security policies to this subproject.

Once the Jupyter Security subproject as a group have an idea of what they think the language in the governance docs should be, someone from that team could open a PR here and open a vote to continue.

Please comment here if you have thoughts on this issue, or comment on the PR linked above.

cc: @krassowski @choldgraf @rpwagner because we spoke about this subject during EC office hours yesterday (12 June 2025).

[choldgraf]

I think this is a great idea. To me, it is important that we give trust and authority to working groups / subprojects / etc in order to empower them to carry out their responsibilities. For the security WG, I think that means that we should delegate the authority for them to ensure Jupyter can hit its security needs.

[krassowski]

Somewhat related I guess:

• Define a policy and guidelines for administrative control needed by Jupyter to delegate to the Security Working Group jupyter-governance/ec-team-compass#113

[krassowski]

Somewhat related is that we need to configure security managers on all organizations. Currently there may be vulnerability reports e.g. in jupyter-server and ipython org where no one who shows up on jupyter security calls has any visibility.

CC @jasongrout and @rpwagner who are listed on Jupyter Security Council and are at the same time EC members so should be able to monitor and answer any questions in all organizations.