Page MenuHomePhabricator

Come up with a plan for community security reviews of MediaWiki extensions/skins
Open, LowPublic


Security is probably one of MediaWiki's biggest strengths, and we have a pretty good security review process. However, it doesn't really scale for the entire MediaWiki ecosystem, since the WMF security team doesn't have the peoplepower to review everything.

We should have a process in which other developers are designated as community security reviewers for extensions that aren't deployed to Wikimedia sites, and extension developers can request security reviews from them.

I briefly discussed this idea with @Bawolff at WikiConference NA a few weeks ago.

Event Timeline

So the next step is to get buy in from the Security-Team on this, since it relies on them for bootstrapping, and it doesn't make much sense to do it without their support.

Note that @Lex has some interest in this and proposed that the MediaWiki-Stakeholders-Group provide this as a service for its members. If we were to offer this (+ some code review) as a service, it might also allow us to review non-public extensions.

We would need to find someone who has the necesssary MW/Security knowledge, though. I'm open to ideas, there.