Jupyter Notebooks’ hybrid nature—integrating code, configuration, and documentation—gives rise to defect patterns distinct from traditional software, yet existing tools and methodologies inadequately characterize their security risks. This paper presents the first large-scale empirical study on Notebook security, introducing the first comprehensive defect taxonomy specifically designed for Jupyter Notebooks. Our methodology combines quantitative analysis—including complexity metrics, contributor behavior, and documentation quality—with qualitative, grounded-theory-based analysis of over 10,000 security-related commits and vulnerability reports. Key findings reveal configuration errors as the most prevalent defect class (42%), followed by API misuse; mainstream deployment frameworks frequently exhibit critical vulnerabilities such as unauthorized access and sensitive information leakage. These results expose significant limitations of conventional software engineering practices in the Notebook context and provide an empirical foundation for developing Notebook-specific static analyzers and security governance frameworks.

Background. Jupyter notebooks are one of the main tools used by data scientists. Notebooks include features (configuration scripts, markdown, images, etc.) that make them challenging to analyze compared to traditional software. As a result, existing software engineering models, tools, and studies do not capture the uniqueness of Notebook's behavior. Aims. This paper aims to provide a large-scale empirical study of bugs and vulnerabilities in the Notebook ecosystem. Method. We collected and analyzed a large dataset of Notebooks from two major platforms. Our methodology involved quantitative analyses of notebook characteristics (such as complexity metrics, contributor activity, and documentation) to identify factors correlated with bugs. Additionally, we conducted a qualitative study using grounded theory to categorize notebook bugs, resulting in a comprehensive bug taxonomy. Finally, we analyzed security-related commits and vulnerability reports to assess risks associated with Notebook deployment frameworks. Results. Our findings highlight that configuration issues are among the most common bugs in notebook documents, followed by incorrect API usage. Finally, we explore common vulnerabilities associated with popular deployment frameworks to better understand risks associated with Notebook development. Conclusions. This work highlights that notebooks are less well-supported than traditional software, resulting in more complex code, misconfiguration, and poor maintenance.