Page MenuHomePhabricator
Create Task
Maniphest T365070

Volunteer NDA request for security issue access on behalf of wiki.gg
Open, Stalled, Needs TriagePublic
Actions

Description

wiki.gg is a third-party wiki farm (located at https://wiki.gg/). With over 500 wikis currently and consistent growth, we feel it is important to apply security patches, mitigations, and regularly look for any abnormalities before any details of exploits and vulnerabilities are made public. We'd like to be notified on any security issues relevant to third-party sites.

The people we'd like to have sign the volunteer NDA are myself, @RheingoldRiver, and @ReedemtheD3ad - all for the purpose described above. If we can't have that many people we can choose one or two people, please let us know. (We'll follow up with an ACL request when/if this step is completed.)

Please also let us know if we should e-mail someone for confirmation from our work domain (freedom.gg, which is the company running wiki.gg and mentioned in our terms of service and privacy policy).

CC-ing @cscott who has agreed to sponsor our request.

Related Objects

Event Timeline

Alex44019 created this task.May 15 2024, 9:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 15 2024, 9:19 PM
Aklapper added a subscriber: KFrancis.May 16 2024, 7:57 AM

Hi, in my understanding this is a two-step process: First https://wikitech.wikimedia.org/wiki/Volunteer_NDA (CC'ing @KFrancis), and afterwards a separate request following https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues

Alex44019 added a comment.May 16 2024, 8:42 AM

Oops, sorry! We're indeed requesting the NDA specifically in this task. Focused so much on the reason that I didn't clarify it outside of the title...

Alex44019 updated the task description. (Show Details)May 16 2024, 8:48 AM
Reedy subscribed.May 16 2024, 1:23 PM

We'd like to be notified on any security issues relevant to third-party sites.

It doesn't work like that; no pro-active notification is done.

Alex44019 added a comment.May 17 2024, 12:13 AM

Access to security issues works just as fine, we can monitor for anything that impacts wiki.gg. Sorry for the confusion on my end.

TheresNoTime subscribed.May 17 2024, 6:20 PM
RheingoldRiver added a comment.Tue, May 28, 7:41 PM

Hi, what are the next steps here? Do we need to file something other than this ticket? (Again the aim of this ticket is to request the NDA)

colewhite subscribed.Tue, May 28, 11:08 PM
In T365070#9839752, @RheingoldRiver wrote:

Hi, what are the next steps here? Do we need to file something other than this ticket? (Again the aim of this ticket is to request the NDA)

@KFrancis, would you be able to help @Alex44019, @RheingoldRiver, and @ReedemtheD3ad get Volunteer NDAs?

KFrancis added a comment.Tue, May 28, 11:22 PM

Hello, please have @Alex44019, @RheingoldRiver, and @ReedemtheD3ad send me their Name, mailing address, and email to kfrancis@wikimedia.org and I'll put the agreements together. Thanks!

Alex44019 added a comment.Wed, May 29, 8:43 PM

River has sent an e-mail 15 minutes ago including all the information. Thank you

KFrancis added a comment.Wed, May 29, 10:05 PM

Thanks so much! I'll process the agreements and send them out for signatures soon.

Alex44019 added a comment.Thu, May 30, 3:36 PM

All three of us have signed :)

KFrancis added a comment.Thu, May 30, 5:07 PM

Hello all, I am confirming the three NDA's have been signed. Please proceed with next steps. Thanks!

colewhite changed the task status from Open to In Progress.Thu, May 30, 6:56 PM
colewhite claimed this task.

Thanks!

I have reached out internally to gain the necessary approval from the right people. Hang tight!

sbassett subscribed.Mon, Jun 3, 5:20 PM
sbassett added a comment.EditedMon, Jun 3, 5:28 PM

Access to security issues works just as fine, we can monitor for anything that impacts wiki.gg. Sorry for the confusion on my end.

So volunteer security bug access is unfortunately a very difficult issue. We only have a handful of folks who have been given this access and they are typically former or current WMF staff and/or are extremely active in triaging and working on security issues within the Wikimedia ecosystem. We've tried offering more limited security bug access in the past to various MediaWiki operators (e.g. T101017) but that wasn't possible since it's all-or-nothing access to every security bug within Phabricator, including some extremely sensitive issues regarding current and past security incidents. I'm not going to say that this isn't possible, but it would require WMF-Legal and various leadership at the WMF understanding and accepting this risk.

RheingoldRiver added a comment.Mon, Jun 3, 5:39 PM

Understood, we didn't realize it was such a restricted group of people. We would be happy to have just one person approved, either Alex (preferred) or myself, if this helps.

colewhite changed the task status from In Progress to Stalled.Fri, Jun 7, 5:05 PM
colewhite removed colewhite as the assignee of this task.
Aklapper added a comment.Fri, Jun 7, 6:04 PM

@colewhite: Which task author of third-party or subtask is this task stalled on exactly?

colewhite added a comment.EditedFri, Jun 7, 9:33 PM
In T365070#9871749, @Aklapper wrote:

@colewhite: Which task author of third-party or subtask is this task stalled on exactly?

This task is waiting for approval from a c-level exec, the security team, my manager (or any wmf manager), and a wmf sponsor per the Volunteer NDA and WIKISEC-PHABSECACCESS-SOP. I sent them an email requesting a reply on this task back on May 31st.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL