I just [[T109331#1558739|learnt]] that phabricator is flooded with 11 (!) additional tags named Vuln-Something, which are only mentioned in https://www.mediawiki.org/wiki/Phabricator/Projects
I have no idea what's the use of such tags, but for sure they should be listed as subprojects of the main Security project, together with all the other subprojects. There is little gain in tracking security issues if they can't be found. https://phabricator.wikimedia.org/project/profile/30/
Added
A classification of Security bugs is applied via numerous Vuln-* tags.
to Security-Team description. Is that sufficient?
Security should probably be a acl* project in Phab instead. :-/
The link is helpful, but it still doesn't explain in what cases such tags should be added. The parent project should also be linked by the subprojects, so that the explanation is accessible from those too.
That part I'd leave to the Security team to clarify.
The parent project should also be linked by the subprojects
As subprojects are available and we can mark them as such but I'm not sure that is wanted.
I've specified that they correspond to the OWASP top-10 (+DoS). If you want more clarification documented there, I can summarize each vulnerability class there as well.
There is no list there. There is link to external site and link to search result.
I am looking for something like https://phabricator.wikimedia.org/project/profile/483/ (and I believe it was @Nemo_bis's intention as well).
If the OWASP list is considered clear enough, there's nothing wrong with just linking the list of Vuln-* projects.
However, the parent project should really explain e.g. the differences between Security-Core, Security-General, Security-Other.
...except for dependency on external site and forcing users to open new tab/window to see the definitions. Also tag names do not match names on the list, so one has to spend some time to match them.
However, the parent project should really explain e.g. the differences between Security-Core, Security-General, Security-Other.
T136594: Clarify distinction between #security-general and #security-other -> T109328: Undefined #Security-General and #Security-Other
Please. Cf. https://phabricator.wikimedia.org/project/profile/483/ mentioned earlier. Thank you.
Maybe make a general Vulnerabilities project and have infoleak, etc. as subprojects of them. And also have Security and Security-Extensions, etc. subprojects/milestones for them as well.
A security issue could be of more than one type of vulnerability hence no subprojects please.
Currently the (external) classification is linked, a query to get a list of all existing tags, and that it "should be applied to tasks that fall into those classifications." Furthermore, each tag offers a project description of its meaning.
Copying and listing every single tag description into the project description of Security-Team creates yet another separate place to manually update every time a tag description is updated or a new tag is created (if the updating person is aware of it). This duplication creates the likeliness of outdated information for rather little gain.
Hence I don't consider it feasible to list all tags in the project description of Security-Team and I am declining this task.