Page MenuHomePhabricator

Add to MediaWiki Core?
Closed, ResolvedPublic


Following on from having read I think we should add something like a (not necessarily to be part of the hackerone program) -- "Create a policy – you add a in your project root that provides details for how to submit vulnerabilities "

Referenced example is


Event Timeline

Reedy created this task.Feb 14 2017, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2017, 9:07 PM
MaxSem added a subscriber: MaxSem.Feb 14 2017, 9:33 PM

I'm not sure we really need it:

  • Unlike e.g. projects fully hosted on GitHub, we have our own bug tracker that allows submitting non-public security bugs.
  • We don't have any rewards for discovering security bugs program.
  • We aren't receiving enough security reports to really benefit from their other features (dupe finder, reputation management, etc).

@Reedy, I think this is a good idea for people working with a local repo who are unfamiliar with our projects.

We could create a that basically contains the info from, and a comment in the source of that page noting that if the page is updated that should be updated as well.

dpatrick triaged this task as Medium priority.Feb 14 2017, 9:41 PM

At the very least we should mention security@wm somewhere in README or a docs/SECURITY.

Change 382036 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] Add SECURITY

Bawolff closed this task as Resolved.Oct 3 2017, 8:22 PM
Bawolff claimed this task.

Change 382036 merged by jenkins-bot:
[mediawiki/core@master] Add SECURITY