Do not open a public GitHub issue for security vulnerabilities.

Email the maintainer directly at mbektasgh@outlook.com with:

• A description of the vulnerability and the impact you observed.
• Steps to reproduce, including affected versions of NBI, JupyterLab, and Python.
• Any proof-of-concept code or logs (redact secrets).

Expect an acknowledgement within five business days. Once we confirm the issue, we'll work with you on a coordinated disclosure timeline.

NBI follows semantic versioning starting with 4.0.0. Security fixes land on the latest minor release of the current major line. Earlier major lines are not actively maintained.

In-scope:

• The notebook_intelligence server extension and its HTTP handlers.
• The @plmbr/notebook-intelligence JupyterLab frontend.
• Built-in tools (nbi-notebook-edit, nbi-notebook-execute, nbi-python-file-edit, nbi-file-edit, nbi-file-read, nbi-command-execute).
• The Claude Skills import and managed-manifest reconciler.

Out of scope:

• Vulnerabilities in upstream dependencies (litellm, anthropic, openai, ollama, claude-agent-sdk, fastmcp) — please report those upstream. We will pick up patched releases when they ship.
• Vulnerabilities in MCP servers users install from third-party sources.
• Vulnerabilities in LLM providers themselves (data handling at OpenAI, Anthropic, GitHub Copilot, etc.).

NBI is a per-user tool. The server extension runs inside the user's Jupyter Server process and inherits that user's permissions. Built-in tools shell out as the user, MCP stdio servers run as the user, and the Claude Code CLI inherits the user's environment. There is no privilege boundary between the extension and the user's account.

For multi-tenant deployments, see docs/admin-guide.md for guidance on disabling features that are unsafe to expose without additional sandboxing (notably nbi-command-execute and nbi-file-edit).