docs: add minimal SECURITY.md

[jamesbhobbs]

Add minimal SECURITY.md

Summary

Adds a minimal SECURITY.md file to the repository root with essential security contact information. The file provides the email address for reporting vulnerabilities, a link to the PGP key for encrypted communications, and references the canonical security policy at https://deepnote.com/.well-known/security.txt. This keeps SECURITY.md as a stable pointer to the authoritative policy, avoiding duplication of content that could become stale.

Review & Testing Checklist for Human

• Verify that security@deepnote.com is the correct contact email
• Check that both links work and point to the correct resources (PGP key and security.txt)
• Confirm this content matches the SECURITY.md files in deepnote/deepnote, deepnote-toolkit, and vscode-deepnote repos for consistency

Notes

• This is part of a multi-repo effort to add consistent minimal SECURITY.md files across deepnote/deepnote, deepnote-toolkit, vscode-deepnote, and jupyterlab-deepnote
• Uses proper markdown link syntax (no bare URLs) to avoid MD034 lint errors
• Documentation-only change, no functional code modifications

---

Link to Devin run: https://app.devin.ai/sessions/438185883eb74719998759b503cc47b5
Requested by: James Hobbs (james@deepnote.com) / @jamesbhobbs

Summary by CodeRabbit

• Documentation
  • Added security documentation outlining how to report vulnerabilities, including a designated reporting email, an optional PGP key for secure communication, and a link to the project's security policy to guide responsible disclosure and follow-up.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a SECURITY.md file that defines the project's vulnerability disclosure process: a reporting email address, an optional PGP key URL for encrypted reports, and a link to the project's security policy. No code or public API declarations were changed.

Possibly related PRs

• docs: add minimal SECURITY.md deepnote#65: Adds a SECURITY.md with the same vulnerability contact, PGP key link, and security policy URL.

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "docs: add minimal SECURITY.md" accurately and directly describes the main change in the PR. It uses conventional commit style with a "docs:" prefix, is concise and specific, and clearly conveys that a SECURITY.md file is being added to the repository. A teammate scanning the commit history would immediately understand this is a documentation addition containing security contact information.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f7e4e0d and 67d3a38.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

3-3: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check_release
• GitHub Check: build

🔇 Additional comments (1)

SECURITY.md (1)

1-5: Content looks good.

The SECURITY.md is well-structured and follows best practices for minimal vulnerability disclosure. Markdown links are properly formatted. The MD034 lint hint is a false positive—security@deepnote.com is an email address (not a bare URL) and markdown-formatted URLs are excluded from that rule.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0c1b9dd and f7e4e0d.

📒 Files selected for processing (1)

• SECURITY.md (1 hunks)

🧰 Additional context used

🪛 markdownlint-cli2 (0.18.1)

SECURITY.md

3-3: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: check_release

🔇 Additional comments (2)

SECURITY.md (2)

3-3: Verify MD034 lint error.

The static analysis flagged MD034 (no-bare-urls) on this line, but the URLs appear to be properly wrapped in markdown link syntax. Confirm whether this is a false positive from the linter or if there's a syntax issue.

---

1-5: Structure and content look good.

The file is minimal and clear as intended. Remember to verify the PR's checklist items (email validity, link accessibility, and cross-repo consistency with other deepnote repositories).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.56%. Comparing base (0c1b9dd) to head (67d3a38).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #51   +/-   ##
=======================================
  Coverage   69.56%   69.56%           
=======================================
  Files          13       13           
  Lines         253      253           
  Branches       28       28           
=======================================
  Hits          176      176           
  Misses         73       73           
  Partials        4        4           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.