Page MenuHomePhabricator
Create Task
Maniphest T319318

Update and restructure public-facing wikimedia security documentation
Closed, ResolvedPublic
Actions

Description

Similar to the work performed within T293790, the Security-Team has been actively analyzing public-facing security documentation on mediawiki.org, meta.wikimedia.org, wikitech.wikimedia.org and some related security content on office.wikimedia.org and foundation.wikimedia.org. We would like to begin further updating and restructuring some of the existing security-related documentation as well as creating new security best practices.

Phase 1

As a phase 1 effort, we would like to consolidate and update various security "landing pages". See below for more details.

Existing landing pages for consideration

  1. https://www.mediawiki.org/wiki/Security
  2. https://meta.wikimedia.org/wiki/Security
  3. https://wikitech.wikimedia.org/wiki/Security
  4. https://www.mediawiki.org/wiki/Wikimedia_Security_Team

Proposed restructuring of existing landing pages

Related Objects
Search...

Event Timeline

sbassett created this task.Oct 4 2022, 4:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 4 2022, 4:44 PM
sbassett triaged this task as Medium priority.Oct 4 2022, 4:51 PM
sbassett updated the task description. (Show Details)
sbassett updated the task description. (Show Details)Oct 4 2022, 4:55 PM
sbassett updated the task description. (Show Details)Oct 4 2022, 4:58 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.Oct 4 2022, 5:02 PM
sbassett added projects: SecTeam-Processed, user-sbassett.
sbassett moved this task from Backlog to In Progress on the user-sbassett board.
sbassett changed the task status from Open to Stalled.Jul 10 2023, 5:47 PM
sbassett moved this task from In Progress to Backlog on the user-sbassett board.Oct 12 2023, 8:46 PM
sbassett mentioned this in T398648: Consolidate docs on contributing / writing / deploying security patches.Sep 2 2025, 10:02 PM
A_smart_kitten subscribed.Sep 8 2025, 3:37 PM
SLong-WMF added a project: Tech-Docs-Team.Sep 8 2025, 5:54 PM
SLong-WMF subscribed.

Adding this to the tech docs team backlog so we can review and prioritize

sbassett added a comment.Sep 8 2025, 6:57 PM
In T319318#11159165, @SLong-WMF wrote:

Adding this to the tech docs team backlog so we can review and prioritize

👍

sbassett removed a project: user-sbassett.Sep 8 2025, 6:57 PM
KBach subscribed.Oct 9 2025, 8:15 AM
TBurmeister changed the task status from Stalled to In Progress.Jan 15 2026, 9:10 PM
TBurmeister claimed this task.
TBurmeister created subtask T415106: Define requirements and IA for end-user security documentation pages.Jan 20 2026, 5:56 PM
TBurmeister moved this task from Backlog to Active projects on the Tech-Docs-Team board.Jan 21 2026, 7:12 PM
TBurmeister changed the status of subtask T415106: Define requirements and IA for end-user security documentation pages from Open to In Progress.Jan 29 2026, 7:47 PM
TBurmeister closed subtask T415106: Define requirements and IA for end-user security documentation pages as Resolved.Feb 19 2026, 4:39 PM
TBurmeister lowered the priority of this task from Medium to Low.Mar 19 2026, 8:17 PM
TBurmeister closed this task as Resolved.Wed, Mar 25, 5:42 PM

The state of these docs has evolved since this task was originally filed. I investigated the current state of each of the landing pages and docs they link to; the following improvements are already in place:

  • https://www.mediawiki.org/wiki/Security now has a (lovely!) navigation template with thematically grouped links that include sections for each of the groupings suggested in the original task (and more):
    • General MediaWiki security info and links to Manual are included under "Educational and Training material"
    • For developers: Resources include links to guides, training, and more, including links to https://www.mediawiki.org/wiki/Security/Training_resources and https://www.mediawiki.org/wiki/Security_for_developers (which is marked as an official development guideline).
      • For the specific programming language guides, I find only one draft of a GoLang security guide, but it's just a link of references. To me, this indicates it's likely not worthwhile for us to write or maintain our own security guides for these programming languages: there are many well-written guides already existing elsewhere, and we shouldn't create more maintenance burden by trying to create content of our own.
      • If there are Wikimedia or MediaWiki specific security guidelines relevant for specific programming languages, and they are lacking documentation, new separate tasks should be filed for that, so the Security teams and relevant product owners can triage and prioritize as needed. I would expect to find this type of information in the language-specific pages of the Development Guidelines collection of docs, with cross-references from this Security landing page (rather than putting this content within the Security docs collection).
    • Policies, processes services: covered by SOPs and Services section
  • https://meta.wikimedia.org/wiki/Security and https://wikitech.wikimedia.org/wiki/Security are primarily functioning as navigational or disambiguation landing pages, with what I think is an appropriate amount of content to help readers get to the relevant content on the other, more content-heavy landing pages. I think these should be left as-is. As part of my work on T415106, I added the "Security" tag to more docs on Meta, and added a link to the category page to the landing page, with a recommendation that people use that category to browse the relevant pages. The realm of security policy and related pages on Meta is large and has fuzzy boundaries, so if there's a prioritized workstream with clear requirements to update this, the topic could be revisited in the future.
TBurmeister moved this task from Active projects to Done on the Tech-Docs-Team board.Wed, Mar 25, 5:43 PM
sbassett added a comment.EditedWed, Mar 25, 8:12 PM
In T319318#11750280, @TBurmeister wrote:

This was a very early effort to provide something in the form of security best practices for languages besides PHP and JavaScript. Since that effort stalled and we don't even use golang that much as an organization, this page (and others like it) could be permanently retired IMO.

  • If there are Wikimedia or MediaWiki specific security guidelines relevant for specific programming languages, and they are lacking documentation, new separate tasks should be filed for that, so the Security teams and relevant product owners can triage and prioritize as needed.

I think Product Safety and Integrity would have to (re-)prioritize such efforts, which I personally don't see happening, at least not any time soon.

I guess this begs the question of whether security.wikimedia.org is still necessary. There are some pages there (hall of fame, bug bounty policy, etc) that probably need to be preserved somewhere.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits