Page MenuHomePhabricator
Create Task
Maniphest T158119

Add Security.md to MediaWiki Core?
Closed, ResolvedPublic
Actions

Description

Following on from having read http://www.jonobacon.org/2017/02/09/hackerone-professional-free-open-source-projects/ I think we should add something like a SECURITY.md (not necessarily to be part of the hackerone program) -- "Create a policy – you add a SECURITY.md in your project root that provides details for how to submit vulnerabilities "

Referenced example is https://github.com/discourse/discourse/blob/master/docs/SECURITY.md

Details

SubjectRepoBranchLines +/-
Add SECURITYmediawiki/coremaster+3 -0
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Feb 14 2017, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2017, 9:07 PM
MaxSem subscribed.Feb 14 2017, 9:33 PM

I'm not sure we really need it:

  • Unlike e.g. projects fully hosted on GitHub, we have our own bug tracker that allows submitting non-public security bugs.
  • We don't have any rewards for discovering security bugs program.
  • We aren't receiving enough security reports to really benefit from their other features (dupe finder, reputation management, etc).
dpatrick awarded a token.Feb 14 2017, 9:36 PM
Bawolff awarded a token.Feb 14 2017, 9:39 PM
dpatrick subscribed.Feb 14 2017, 9:41 PM

@Reedy, I think this is a good idea for people working with a local repo who are unfamiliar with our projects.

We could create a SECURITY.md that basically contains the info from https://www.mediawiki.org/wiki/Reporting_security_bugs, and a comment in the source of that page noting that if the page is updated that SECURITY.md should be updated as well.

dpatrick triaged this task as Medium priority.Feb 14 2017, 9:41 PM
Legoktm subscribed.Feb 15 2017, 1:45 AM

At the very least we should mention security@wm somewhere in README or a docs/SECURITY.

gerritbot subscribed.Oct 3 2017, 8:05 PM

Change 382036 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] Add SECURITY

https://gerrit.wikimedia.org/r/382036

gerritbot added a project: Patch-For-Review.Oct 3 2017, 8:05 PM
Bawolff closed this task as Resolved.Oct 3 2017, 8:22 PM
Bawolff claimed this task.
gerritbot added a comment.Oct 3 2017, 8:30 PM

Change 382036 merged by jenkins-bot:
[mediawiki/core@master] Add SECURITY

https://gerrit.wikimedia.org/r/382036

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-10-10 (1.31.0-wmf.3)).Oct 3 2017, 9:00 PM
MZMcBride subscribed.Jan 1 2018, 6:24 AM
Reedy mentioned this in T187617: Add security.txt to Wikimedia sites?.Feb 17 2018, 10:59 AM
Reedy removed a project: Patch-For-Review.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:33 PM
chasemp added a project: Security.Feb 10 2020, 10:58 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits