Page MenuHomePhabricator
Create Task
Maniphest T401008

Security Issue Access Request for zoe
Closed, DeclinedPublic
Actions

Description

Phabricator Username: zoe

Reasons For Request: WMF employee / my team fielded a security ticket recently and it would be useful to not need to be manually added for the next one

Event Timeline

zoe created this task.Aug 1 2025, 3:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 1 2025, 3:19 PM
sbassett subscribed.Aug 1 2025, 3:22 PM

Confirmed @zoe has Phab 2fa set up:

Screenshot 2025-08-01 at 10.21.31 AM.png (93×509 px, 10 KB)

@zoe - I think all we need is a thumbs up from your manager on this task, and then we can grant you Phab security access at our next clinic.

zoe added a subscriber: VPuffetMichel.Aug 5 2025, 10:23 AM

@VPuffetMichel could you approve?

EMill-WMF subscribed.Aug 8 2025, 9:23 AM

Before this can be approved, I would like some more context on this ticket to support the request. What security ticket was fielded? Why do we think it will be so recurring that manual adding will be a big hassle?

zoe added a comment.Aug 11 2025, 9:54 AM

If that's the threshold I think I probably don't meet it. I can keep being manually added to tickets on a need-to-know basis.

sbassett added a comment.Aug 11 2025, 3:09 PM
In T401008#11070521, @EMill-WMF wrote:

Before this can be approved, I would like some more context on this ticket to support the request. What security ticket was fielded? Why do we think it will be so recurring that manual adding will be a big hassle?

We've typically granted WMF staff Phab security access, no questions asked, for the past several years, given that everyone is NDA'd and it doesn't significantly increase our attack surface in any meaningful way. If we do not wish to continue this practice, then we should update https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues to include any additional requirements for said access.

sbassett changed the task status from Open to In Progress.Aug 11 2025, 4:49 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
EMill-WMF added a comment.Aug 13 2025, 1:28 AM
In T401008#11073176, @zoe wrote:

If that's the threshold I think I probably don't meet it. I can keep being manually added to tickets on a need-to-know basis.

Thanks @zoe, I think that's probably the right call for now.

In T401008#11074246, @sbassett wrote:
In T401008#11070521, @EMill-WMF wrote:

Before this can be approved, I would like some more context on this ticket to support the request. What security ticket was fielded? Why do we think it will be so recurring that manual adding will be a big hassle?

We've typically granted WMF staff Phab security access, no questions asked, for the past several years, given that everyone is NDA'd and it doesn't significantly increase our attack surface in any meaningful way. If we do not wish to continue this practice, then we should update https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues to include any additional requirements for said access.

I've updated https://www.mediawiki.org/wiki/Security/SOP/Access_to_Phabricator_Security_Issues#Guidance_to_WMF_staff with some text to this effect.

EMill-WMF closed this task as Declined.Aug 13 2025, 1:28 AM
sbassett lowered the priority of this task from Medium to Low.Aug 13 2025, 1:00 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits