Security issues for Mediawiki, Wikimedia Projects, and Wikimedia Foundation services are reported through the same process.
We support responsible disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance.
Issue[edit]
To report an issue send an email to security@wikimedia.org or use the Report Security Issue form in Phabricator.
Such reports will not be publicly visible at the time of reporting. See below for further process once issues are resolved.
Report[edit]
If you report the vulnerability by email to security@wikimedia.org , let us know if you have a Wikimedia Phabricator account as we will add you to the bug we create so you can track the status.
Phabricator accounts can be created using an existing SUL Wiki account.
Reported[edit]
We will:
Reporters[edit]
Credit will be given on Wikimedia Security Team/Thanks for vulnerabilities that are in MediaWiki core or a bundled extension [Todo: Clarify process around non-MediaWiki core security bugs]
[Proposed, as of right now this does not happen] For Security issues in MediaWiki core or an extension, the reporter will be added to a special "Security Researchers" section of the page Special:Version/credits and the CREDITS text file (in the source code) included with MediaWiki.
Remediation[edit]
When possible during the remediation process, the security bugs should have comments that include:
Reporter access to their own authored reports is standard, but to gain access to security protected issues generally there is a separate process
Patches[edit]
If you would like to provide a patch for a security bug, please add it as an attachment to the Phabricator task. You can either drag-and-drop the patch into the comment area, or include a diff of the patch as a comment. Please do not add it as a patchset inGerrit. All Gerrit patchsets (including "drafts") are publicly accessible.
Content[edit]
Project | Use by Wikimedia Security Team
---|---
mediawiki.org | General content for
Policy, SOPs, etc. Official Security team
page.
wikitech.wikimedia.org |
Procedural or instructional material that is not training.
meta.wikimedia.org |
Policy and other content for translation.
office.wikimedia.org | Sensitive
or private content. Must have an NDA and appropriate access.
foundation.wikimedia.org | Canonical location for Policy
Understanding Wikimedia Security Team documentation structure
[CVE]: Common Vulnerabilities and Exposures [OWASP]: Open Web Application Security Project
This program crawled on the 2015-06-30 is sorted as cvd.
FireBounty © 2015-2019