Security issues for Mediawiki, Wikimedia
Projects, and Wikimedia
Foundation services are reported through
the same process.
We support responsible
disclosure and we hope that anyone who finds a potential
security issue in our ecosystem acts with discretion and forbearance.
- 1 Reporting A Security Issue
- 2 What to Include In A Security Issue Report
- 3 What Happens When Security Issues Are Reported
- 4 Crediting Reporters
- 5 Tracking Report Remediation
- 6 Contributing Patches
- 7 Related Security Content
Reporting A Security
To report an issue send an email to
email@example.com or use the Report
Security Issue form in Phabricator.
Such reports will not be publicly visible at the time of reporting. See below
for further process once issues are resolved.
What to Include In A Security Issue
- Step-by-step instructions to reproduce the issue
- If possible, proof-of-concept code demonstrating the issue is a best practice
- If the vulnerability can be reproduced on a Wikimedia project (such as Wikipedia or Wiktionary) please indicate which as site configurations vary
- If applicable, indicate if you are logged in or logged out when the issue occurs
- For XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using. Specific version of any software used will be helpful.
- OWASP vulnerability category (using OWASP Top 10 for 2017), or CWE id (using CWE By Research Concepts)
- CVE if assigned (using the NIST CVE database)
- Any other information needed to investigate and reproduce the issue
If you report the vulnerability by email to
firstname.lastname@example.org , let us know if
you have a Wikimedia Phabricator account
as we will add you to the bug we create so you can track the status.
Phabricator accounts can be
created using an existing SUL Wiki account.
What Happens When Security Issues Are
- Determine whether we consider it to be a security issue
- Attempt to reproduce the issue, and assign a priority to the bug based on its impact.
- A patch will be added in Phabricator, and another person will review it.
- The patch should contain regression tests, whenever possible.
- The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors[ citation needed ].
- If applicable, the patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.
- Unless you explicitly indicate that certain information must not be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement. If you report the issue via email to email@example.com the email itself may be publicly released. This may include your email address and signature unless you request otherwise. The Phabricator tag PermanentlyPrivate will ensure reports are kept confidential in perpetuity.
- Credit will be given to the reporter in the commit message fixing the issue
- Credit will be given to the reporter in the official announcement email going to the MediaWiki-announce mailing lists
Credit will be given on Wikimedia Security Team/Thanks for vulnerabilities that are in MediaWiki core or a bundled extension [Todo: Clarify process around non-MediaWiki core security bugs]
[Proposed, as of right now this does not happen] For Security issues in MediaWiki core or an extension, the reporter will be added to a special "Security Researchers" section of the page Special:Version/credits and the CREDITS text file (in the source code) included with MediaWiki.
When possible during the remediation process, the security bugs should have
comments that include:
- Step-by-step instructions to reproduce further issues
- Links to the commits that introduced the bug
- Links to the Gerrit changesets that fixes the bug
Reporter access to their own authored reports is standard, but to gain access
to security protected issues generally there is a separate
If you would like to provide a patch for a security bug, please add it as an
attachment to the Phabricator task. You can
either drag-and-drop the patch into the comment area, or include a diff of the
patch as a comment. Please do not add it as a patchset
inGerrit. All Gerrit patchsets (including "drafts")
are publicly accessible.
Project | Use by Wikimedia Security Team
mediawiki.org | General content for
Policy, SOPs, etc. Official Security team
Procedural or instructional material that is not training.
Policy and other content for translation.
office.wikimedia.org | Sensitive
or private content. Must have an NDA and appropriate access.
foundation.wikimedia.org | Canonical location for Policy
Understanding Wikimedia Security Team documentation
[OWASP]: Open Web Application Security Project
[CVE]: Common Vulnerabilities and Exposures