Page MenuHomePhabricator

Make it explicit that Wikimedia doesn't pay bug bounties
Closed, ResolvedPublic

Description

Information is provided and moderated by members of the community. Accuracy has not been validated by HackerOne.

Event Timeline

Reedy created this task.Sep 7 2020, 8:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 7 2020, 8:46 PM
Reedy triaged this task as High priority.Sep 7 2020, 8:47 PM

@Platonides edit lgtm though I'd almost bold the entire line :)

I've also sent this to hackerone:

Hello-

I'm an appsec engineer for the Wikimedia Foundation and was hoping we could update the following page:

https://hackerone.com/mediawiki

Preferred updates:

1) Under the "When you report a security flaw in MediaWiki, we will:" section, if a note could be included to the effect that we do not currently offer cash or equivalent rewards for bounties, that would be great.  We've updating our bug reporting documentation with this blurb: "Currently there is no budget for security reports. This means no bounties are paid by Wikimedia Foundation for discovering security bugs on these projects, either in money or in merchandise."

2) Under the domains, also list: wikivoyage.org, commons.wikimedia.org, species.wikimedia.org as this represents all current, formally supported Wikimedia projects.

Thanks!
sbassett updated the task description. (Show Details)Sep 8 2020, 6:49 PM
sbassett moved this task from Incoming to Waiting on the Security-Team board.
sbassett closed this task as Resolved.Sep 16 2020, 4:56 PM
sbassett assigned this task to Platonides.
sbassett updated the task description. (Show Details)
sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.

Hacker one page has been updated. I had them add this text in the first paragraph: "Currently, there is no budget for security reports. This means no bounties are paid by Wikimedia Foundation for discovering security bugs on these projects, either in money or in merchandise." Maybe that will help? I'd guess this bug, as written, can be resolved for now.