Translate this pageLanguages: * Bahasa Indonesia * Deutsch * English * Lëtzebuergesch * Nederlands * Türkçe * Zazaki * brezhoneg * español * français * italiano * magyar * português do Brasil * čeština * русский * اردو * العربية * हिन्दी * বাংলা * ไทย * 中文 * 日本語 * 한국어

This is the process for reporting security issues in software and services maintained or operated by Wikimedia Foundation. This includes MediaWiki and Wikimedia projects such as Wikipedia.

We support responsible disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance.

What is considered a security issue

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_is_considered_a_security_issue","replies":[]}} This is a general outline and not an exhaustive listing of the scope of this process.

• Issues that affect the availability of one of more services that are part of the Wikimedia ecosystem, but in particular when this is the result of a hostile set of actions or campaign.
• When the integrity of data hosted by the Wikimedia Foundation or affiliated entities is at risk of being corrupted, tampered with, or otherwise modified in an unauthorized manner.
• When the confidentiality of data owned by the Wikimedia Foundation or its affiliated entities is compromised, such that information meant to be restricted or private is leaked, revealed, stolen, or exfiltrated in an unauthorized manner.

Reporting a security issue

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Reporting_a_security_issue","replies":[]}} To report an issue, email security@wikimedia.org or use the Report Security Issue form on Phabricator.

Such reports will not be publicly visible at the time of reporting. See below for further process once issues are resolved.

What to include in a security issue report

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_to_include_in_a_security_issue_report","replies":[]}} * Step-by-step instructions to reproduce the issue * If possible, proof-of-concept code demonstrating the issue is a best practice * If the vulnerability can be reproduced on a Wikimedia project (such as Wikipedia or Wiktionary) please indicate which as site configurations vary * If applicable, indicate if you are logged in or logged out when the issue occurs * For XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using. The specific version of any software used will be helpful. * OWASP vulnerability category (using OWASP Top 10 for 2017), or CWE id (using CWE By Research Concepts) * CVE if assigned (using the NIST CVE database) * Any other information needed to investigate and reproduce the issue

If you report the vulnerability by email to security@wikimedia.org, let us know if you have a Wikimedia Phabricator account as we will add you to the bug we create, so you can track the status.

Phabricator accounts can be created using an existing SUL Wiki account.

What happens when security issues are reported

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_happens_when_security_issues_are_reported","replies":[]}} We will:

• Determine whether we consider it to be a security issue
• Attempt to reproduce the issue, and assign a priority to the bug based on its impact.
• A patch will be added in Phabricator, and another person will review it.
  • The patch should contain regression tests, whenever possible.
• The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.[citation needed]
• If applicable, the patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.
• Unless you explicitly indicate that certain information must not be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement. If you report the issue via email to securitywikimedia.org the email itself may be publicly released. This may include your email address and signature unless you request otherwise. The Phabricator tag PermanentlyPrivate will ensure reports are kept confidential in perpetuity.

Crediting reporters

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Crediting_reporters","replies":[]}} * Credit will be given to the reporter in the commit message fixing the issue * Credit will be given to the reporter in the official announcement email going to the MediaWiki-announce mailing lists * Credit will be given on Wikimedia Security Team/Thanks for vulnerabilities in MediaWiki core or a bundled library, skin, or extension. * Currently, there is no budget for security reports. This means no bounties are paid by Wikimedia Foundation for discovering security bugs on these projects, either in money or in merchandise.

Tracking report remediation

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Tracking_report_remediation","replies":[]}} When possible during the remediation process, the security bugs should have comments that include:

• Step-by-step instructions to reproduce further issues
• Links to the commits that introduced the bug
• Links to the Gerrit changesets that fixes the bug

Reporter access to their own authored reports is standard, but to gain access to security protected issues generally there is a separate process

Contributing patches

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Contributing_patches","replies":[]}} If you would like to provide a patch for a security bug, please add it as an attachment to the Phabricator task. You can either drag-and-drop the patch into the comment area, or include a diff of the patch as a comment.

Please do not submit patches to Gerrit. All Gerrit changes (including "drafts") are publicly accessible.

• See Creating a Security Patch section on wikitech for steps to create these patches, and Security patches section for how these patches are deployed.

Related security content

__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Related_security_content","replies":[]}} | Project | Use by Wikimedia Security Team | | - | - | | mediawiki.org | General content for Policy, SOPs, etc. Official Security team page. | | wikitech.wikimedia.org | Procedural or instructional material that is not training. | | meta.wikimedia.org | Policy and other content for translation. | | office.wikimedia.org | Sensitive or private content. Must have an NDA and appropriate access. | | foundation.wikimedia.org | Canonical location for policies. |

NewPP limit report Parsed by mw‐web.eqiad.main‐844d85c7dc‐w596r Cached time: 20240807144129 Cache expiry: 2592000 Reduced expiry: false Complications: [show‐toc] DiscussionTools time usage: 0.012 seconds CPU time usage: 0.216 seconds Real time usage: 0.305 seconds Preprocessor visited node count: 274/1000000 Post‐expand include size: 1526/2097152 bytes Template argument size: 412/2097152 bytes Highest expansion depth: 11/100 Expensive parser function count: 0/500 Unstrip recursion depth: 0/20 Unstrip post‐expand size: 4663/5000000 bytes Lua time usage: 0.006/10.000 seconds Lua memory usage: 752258/52428800 bytes Number of Wikibase entities loaded: 0/400 Transclusion expansion time report (%,ms,calls,template) 100.00% 49.201 1 -total 57.77% 28.425 2 Template:Ll 40.09% 19.726 4 Template:Translatable 35.85% 17.640 1 Template:Citation_needed 20.31% 9.994 2 Template:Pagelang 5.49% 2.700 1 Template:@ 5.36% 2.636 1 Template:Fix Saved in parser cache with key mediawikiwiki:pcache:idhash:266304-0!canonical and timestamp 20240807144129 and revision id 6334832. Rendering was triggered because: page-view esi <esi:include src="/esitest-fa8a495983347898/content" /> Retrieved from "<https://www.mediawiki.org/w/index.php?title=Reporting_security_bugs&oldid=6334832>"