We do already give credit for mediawiki security issues in the announcements... I don't have a particular objection to adding them to the CREDITS file, but maybe not directly on Special:Version where it'd be more prominent than most active developers.

I've been meaning to setup a page on mediawiki.org listing users who have reported or fixed vulnerabilities in mediawiki. Similar to https://www.google.com/about/appsecurity/hall-of-fame/. Special:Version might be nice if it only listed a small number of top reporters.

@csteipp, I think that would be a wonderful idea, but I'm a bit concerned with ranking as Google does there. I find the whole recent notion of making security a competition somewhat disconcerting, call me old fashioned...

In T118131#1792689, @TheDJ wrote:

I find the whole recent notion of making security a competition somewhat disconcerting

Mozilla has a Security Bug Bounty Program involving money (off-topic: for my general thoughts on bounties see T88265#1870218).
I know we don't plan this but to smaller extent unwanted outcome (signal/noise ratio) could be similar when it comes to reports (I triage in Mozilla Bugzilla and sometimes read such "Security" reports).
Appreciation please yes, competition please no.

I think it is interesting to explore this idea of appreciation with the tools we have at hand. From Wikimedia swag to travel sponsorship to our events, we have a wide range of potential appreciation.

From a Developer-Advocacy point of view there is nothing really that we need to change. If you agree on a process and provide us names, we are basically ready to do our part.

I think we should (obviously) continue to give credit in the announcements, im also a fan of having a page on mw.org, and giving credit in the commit message that fixes the issue.

Im not sure how i feel about adding to special:version/credits when people who only make a few commits are not included there. Maybe if we more strictly defined what constituted a patch contrib vs developer, id feel better about including more sections.

@Bawolff @TheDJ Please Do have a look on my bug Sir T127984 I ll be have if there is any Hall of Fame page for it !

Thank You Please let me Know sir is there any Such HOF Page for the Bug Hunter's :)
*cheeeers*

In T118131#2075512, @Dhirajindexes wrote:

@Bawolff @TheDJ Please Do have a look on my bug Sir T127984 I ll be have if there is any Hall of Fame page for it !

Thank You Please let me Know sir is there any Such HOF Page for the Bug Hunter's :)
*cheeeers*

I have indeed looked at your bug. Thank you for reporting it.

At this time we don't have a hall of fame page for bug hunters. Well its proposed in this bug, we haven't decided yet if we are going to make one.

@Bawolff So Sir if the page of HOF get' active so we Bug Hunters will be Listed over there ??

That is likely.

@Dhirajindexes, thank you for your contributions. :)

To the ones interested in this initiative, if there is anything that Developer-Advocacy can do to help, let us know please.

@Bawolff @ori Sir , did the HOF Page is Updated , we will be happy and it will be Honor to be over there , Please Let me know !

At this point, I would either push this proposal to Developer-Wishlist (2017) to check what is the interest or decline the task.

Here, i created a page. Maybe that's the only way to move this forward :)

https://www.mediawiki.org/wiki/Guardians_of_Security

Thank you @TheDJ will be happy to be listed there with name : Dhiraj Mishra

In T118131#3182732, @TheDJ wrote:

Here, i created a page. Maybe that's the only way to move this forward :)

https://www.mediawiki.org/wiki/Guardians_of_Security

There actually already existed a page, but hasn't been updated since 2015 https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks

In https://lists.wikimedia.org/pipermail/wikitech-l/2018-May/089886.html Bawolff proposes to add folks also to the CREDITS file.

Ah, forgot about this bug.

Yes, I want to add a new section to CREDITS file (no rankings, or even links to the issue, just a list of names, similar to how contributors section does not rank contributors [anymore])

I also want it to be official policy that we also credit reporters in

• Release announcement
• Commit message of commit fixing the issue

[particularly for external reports, but it probably couldn't hurt to do it for WMF'ers who report issues too]

I recently updated https://www.mediawiki.org/wiki/Reporting_security_bugs to reflect this stuff.

Thank you @Bawolff @Aklapper looking forward to this :)

@Bawolff this is great. One thought I had from looking at https://www.mediawiki.org/wiki/Reporting_security_bugs and https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks is that they both only mention credit for vulnerabilities found in MediaWiki core or a bundled extension. I feel one missing part will be crediting those who report security issues in Wikimedia-deployed extension. These may not make sense to credit in the MW core CREDITS file as the issues weren't part of the code distributed in the tarballs, but it does seem worthwhile to also find a nice place to credit those who reported security issues that affected Wikimedia wikis such as through a deployed extension, as they're helping keep Wikimedia projects secure even if it's not an issue that is part of core or a bundled extension. What do you think?

In T118131#4175197, @Grunny wrote:

@Bawolff this is great. One thought I had from looking at https://www.mediawiki.org/wiki/Reporting_security_bugs and https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks is that they both only mention credit for vulnerabilities found in MediaWiki core or a bundled extension. I feel one missing part will be crediting those who report security issues in Wikimedia-deployed extension. These may not make sense to credit in the MW core CREDITS file as the issues weren't part of the code distributed in the tarballs, but it does seem worthwhile to also find a nice place to credit those who reported security issues that affected Wikimedia wikis such as through a deployed extension, as they're helping keep Wikimedia projects secure even if it's not an issue that is part of core or a bundled extension. What do you think?

I agree 100%. In addition to Wikimedia deployed extensions, we also should credit when people find things in stuff that Wikimedia makes but isn't an extension.

I'm less sure where and how to do that. Probably should be on https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks , perhaps in a different section than the MediaWiki credits (since MW vulns probably make up the majority)

Is this resolved by T262212: Create and Populate "Hall of Fame", or is something different wanted?