Page MenuHomePhabricator

Add Security.md to MediaWiki Core?
Closed, ResolvedPublic

Description

Following on from having read http://www.jonobacon.org/2017/02/09/hackerone-professional-free-open-source-projects/ I think we should add something like a SECURITY.md (not necessarily to be part of the hackerone program) -- "Create a policy – you add a SECURITY.md in your project root that provides details for how to submit vulnerabilities "

Referenced example is https://github.com/discourse/discourse/blob/master/docs/SECURITY.md

Event Timeline

Reedy created this task.Feb 14 2017, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2017, 9:07 PM
MaxSem added a subscriber: MaxSem.Feb 14 2017, 9:33 PM

I'm not sure we really need it:

  • Unlike e.g. projects fully hosted on GitHub, we have our own bug tracker that allows submitting non-public security bugs.
  • We don't have any rewards for discovering security bugs program.
  • We aren't receiving enough security reports to really benefit from their other features (dupe finder, reputation management, etc).

@Reedy, I think this is a good idea for people working with a local repo who are unfamiliar with our projects.

We could create a SECURITY.md that basically contains the info from https://www.mediawiki.org/wiki/Reporting_security_bugs, and a comment in the source of that page noting that if the page is updated that SECURITY.md should be updated as well.

dpatrick triaged this task as Normal priority.Feb 14 2017, 9:41 PM

At the very least we should mention security@wm somewhere in README or a docs/SECURITY.

Change 382036 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] Add SECURITY

https://gerrit.wikimedia.org/r/382036

Bawolff closed this task as Resolved.Oct 3 2017, 8:22 PM
Bawolff claimed this task.

Change 382036 merged by jenkins-bot:
[mediawiki/core@master] Add SECURITY

https://gerrit.wikimedia.org/r/382036

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 6:33 PM