Page MenuHomePhabricator

Add security.txt to Wikimedia sites? (2023 edition)
Open, In Progress, LowPublic

Description

Following up on T187617: Add security.txt to Wikimedia sites?.

https://securitytxt.org/

https://github.com/securitytxt/security-txt

https://www.rfc-editor.org/rfc/rfc9116

The RFC has moved on a lot since 2018.

Also,

security.txt files have been implemented by Google, Facebook, GitHub, the UK government, and many other organisations. In addition, the UK’s Ministry of Justice, the Cybersecurity and Infrastructure Security Agency (US), the French government, the Italian government, the Dutch government, and the Australian Cyber Security Centre endorse the use of security.txt files.

Event Timeline

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

If we want to go that path (which I think makes sense, but is low prio), the decision (and filling in the data) would be for the security team. Who then eventually takes care of making sure we serve the file is TBD. We can also just drop SRE for now and then add it back when there is progress to the state that it needs SRE involvement.

ABran-WMF triaged this task as Medium priority.Jan 30 2024, 10:06 AM

Removing SRE, please add us back when the decision to implement this has been made.

sbassett raised the priority of this task from Medium to Needs Triage.Feb 6 2024, 4:01 PM
sbassett moved this task from Watching to Incoming on the Security-Team board.
sbassett removed a project: SecTeam-Processed.
sbassett changed the task status from Open to In Progress.Feb 12 2024, 5:20 PM
sbassett triaged this task as Low priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
mmartorana subscribed.

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

If we want to go that path (which I think makes sense, but is low prio), the decision (and filling in the data) would be for the security team. Who then eventually takes care of making sure we serve the file is TBD. We can also just drop SRE for now and then add it back when there is progress to the state that it needs SRE involvement.

I think incorporating a security.txt file could be an improvement of our security posture. It's already recognized as an accepted standard, making it a best practice worth considering. It could also help streamline the reporting process for security vulnerabilities and help ensuring that any issues are addressed efficiently.

Before committing to filling out the necessary data, we would need input from the SRE team to assess its feasibility.

Change 1010970 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[operations/mediawiki-config@master] Implementing security.txt standard

https://gerrit.wikimedia.org/r/1010970

Change 1010970 abandoned by Mmartorana:

[operations/mediawiki-config@master] Implementing security.txt standard

Reason:

https://gerrit.wikimedia.org/r/1010970

Change 1010971 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[operations/mediawiki-config@master] Implementing security.txt standard

https://gerrit.wikimedia.org/r/1010971