Page MenuHomePhabricator

Jcross (Jennifer Cross)
Project Manager

Projects (7)

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Jul 1 2019, 6:26 PM (48 w, 1 d)
Availability
Available
IRC Nick
jencross
LDAP User
Unknown
MediaWiki User
JCross (WMF) [ Global Accounts ]

Recent Activity

Thu, May 28

Jcross added a project to T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe: Security-Team.
Thu, May 28, 6:35 PM · Peek, User-chasemp, PM, Security-Team
Jcross created T253901: Automate ticket removal from "Watching" column on the #Security-team Phabricator workboard after a certain timeframe.
Thu, May 28, 6:34 PM · Peek, User-chasemp, PM, Security-Team

Wed, May 13

Jcross added a comment to T252462: Performance review of Chameleon skin, Bootstrap extension, SCSS library.

Hi @CCicalese_WMF - I just wanted to send a quick reminder that, per our SOP, we do need a minimum of 30 days prior to a desired deployment date in order to properly resource and perform a Readiness Review.

Wed, May 13, 4:23 PM · Performance-Team

Apr 8 2020

Jcross moved T246949: Security Review Request for MW Chameleon Skin from Waiting to Back Orders on the secscrum board.
Apr 8 2020, 10:59 PM · Wikimedia-Extension-setup, CPT Initiatives (API Gateway), secscrum, Security Readiness Reviews, RFS
Jcross added a comment to T246949: Security Review Request for MW Chameleon Skin.

Hi @CCicalese_WMF - thanks for the update. We'll take a look and please note that at least for deploy, our guidelines require that it is on Gerrit. We'll be in contact as our review proceeds.

Apr 8 2020, 10:58 PM · Wikimedia-Extension-setup, CPT Initiatives (API Gateway), secscrum, Security Readiness Reviews, RFS

Mar 31 2020

Jcross triaged T211489: Security review of bjeavons/zxcvbn-php as Medium priority.
Mar 31 2020, 5:06 PM · secscrum, Security Readiness Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup
Jcross placed T211489: Security review of bjeavons/zxcvbn-php up for grabs.
Mar 31 2020, 5:04 PM · secscrum, Security Readiness Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup
Jcross added a comment to T211489: Security review of bjeavons/zxcvbn-php.

Hi @Tgr - it does appear to need a re-review. We are putting in our backlog and unassigning until someone can pick it up. We're doing our best but have limited resource hours right now, so please let us know if you have any questions or concerns and we'll be in touch as we move forward. Thanks!

Mar 31 2020, 5:03 PM · secscrum, Security Readiness Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup
Jcross moved T248483: Security Readiness Review For MediaModeration from Incoming to Back Orders on the secscrum board.
Mar 31 2020, 5:01 PM · CPT Initiatives (Hash Checking), MediaWiki-extensions-MediaModeration, user-sbassett, secscrum, Security, Security Readiness Reviews
Jcross moved T211489: Security review of bjeavons/zxcvbn-php from Incoming to Back Orders on the secscrum board.
Mar 31 2020, 5:01 PM · secscrum, Security Readiness Reviews, MediaWiki-Vendor, MediaWiki-User-login-and-signup

Mar 30 2020

Jcross added a comment to T248483: Security Readiness Review For MediaModeration.

Hi there @Pchelolo - we were able to take a look at this in our clinic meeting today and have noted that you are aiming for an April 30th deployment date. While we don't currently see any issues with that date, please keep in mind that our ability to review in a timely fashion is subject to change (due to world pandemic chaos, and team members being affected, etc). Please let us know of any questions or concerns and we will be in touch as we move forward.

Mar 30 2020, 5:26 PM · CPT Initiatives (Hash Checking), MediaWiki-extensions-MediaModeration, user-sbassett, secscrum, Security, Security Readiness Reviews

Mar 12 2020

Jcross closed T131729: Android app doesn't warn that edit will expose IP address when not logged in as Declined.

We are declining this ticket as it has been almost four years since last comment. Should new work be required please create a new ticket. Thank you!

Mar 12 2020, 9:54 PM · WMF-Legal, Privacy, Wikipedia-Android-App-Backlog, Mobile-Apps
Jcross closed T115958: Inform EU readers that we use cookies as Declined.

We are declining this ticket as it has been 2+ years since last comment. Should new work be required please create a new ticket. Thank you!

Mar 12 2020, 9:52 PM · Readers-Web-Backlog (Tracking), WMF-Legal, Privacy
Jcross closed T154912: Is User-Agent data PII when associated with Action API requests?, a subtask of T102079: Metrics about the use of the Wikimedia web APIs, as Declined.
Mar 12 2020, 9:51 PM · Product-Infrastructure-Team-Backlog, Analytics, Reading-Admin, Epic, DevRel-September-2015, ECT-August-2015, Research-consulting, MediaWiki-API, ECT-July-2015, Developer-Advocacy
Jcross closed T154912: Is User-Agent data PII when associated with Action API requests? as Declined.

We are declining this ticket as it has been almost three years since last comment. Should new work be required please create a new ticket. Thank you!

Mar 12 2020, 9:51 PM · Product-Infrastructure-Team-Backlog, Privacy, Analytics, WMF-Legal, Reading-Admin, MediaWiki-API, Developer-Advocacy

Mar 10 2020

Jcross triaged T246949: Security Review Request for MW Chameleon Skin as Medium priority.

Hi @CCicalese_WMF and @WDoranWMF ,

Mar 10 2020, 5:29 PM · Wikimedia-Extension-setup, CPT Initiatives (API Gateway), secscrum, Security Readiness Reviews, RFS
Jcross moved T240472: Security review for the DiscussionTools extension from Back Orders to Our Part Is Done on the Security Readiness Reviews board.
Mar 10 2020, 5:10 PM · secscrum, Security Readiness Reviews, Editing-team, DiscussionTools
Jcross moved T187846: Security Review of Office IT Internal Account Management Tool from Back Orders to Our Part Is Done on the Security Readiness Reviews board.
Mar 10 2020, 5:10 PM · secscrum, Office-IT, Security Readiness Reviews
Jcross moved T243398: Security Readiness Review for one skin and five plugins to be used in Tech Blog based on Wordpress from In Progress to Our Part Is Done on the Security Readiness Reviews board.
Mar 10 2020, 5:09 PM · secscrum, Technical blog, Security Readiness Reviews

Mar 3 2020

Jcross triaged T246714: Security review for the minishlink/web-push PHP library as Medium priority.
Mar 3 2020, 6:12 PM · Push-Notification-Service, Patch-For-Review, secscrum, MediaWiki-Vendor, Product-Infrastructure-Team-Backlog, Security, Security Readiness Reviews
Jcross raised the priority of T246714: Security review for the minishlink/web-push PHP library from Low to Needs Triage.
Mar 3 2020, 6:12 PM · Push-Notification-Service, Patch-For-Review, secscrum, MediaWiki-Vendor, Product-Infrastructure-Team-Backlog, Security, Security Readiness Reviews
Jcross moved T246712: Security Readiness Review for push notifications infrastructure from Back Orders to Waiting on the Security Readiness Reviews board.

There is no code to review or RFC at this time and we are unable to move forward until they exist. At this time we can and will move forward with the minishlink/web-push review: https://phabricator.wikimedia.org/T246714

Mar 3 2020, 6:09 PM · Push-Notification-Service, secscrum, Product-Infrastructure-Team-Backlog, Security, Security Readiness Reviews

Mar 2 2020

Jcross reassigned T242285: Create status mechanism(s) for security-team@ combining Asana and Phab from Jcross to chasemp.
Mar 2 2020, 5:03 PM · PM, Security-Team
Jcross added a comment to T242285: Create status mechanism(s) for security-team@ combining Asana and Phab.

Initial thoughts / starting point:
Team level:

Mar 2 2020, 5:03 PM · PM, Security-Team

Feb 27 2020

Jcross added a comment to T242285: Create status mechanism(s) for security-team@ combining Asana and Phab.

Didn't get to this with JB today but it is on the radar and I have a short list going. Will touch base with him about it again soon.

Feb 27 2020, 1:26 AM · PM, Security-Team

Feb 25 2020

Jcross moved T241451: Security Review For SpamRegex extension from Back Orders to Watching on the Security Readiness Reviews board.
Feb 25 2020, 6:20 PM · secscrum, Security Readiness Reviews, SpamRegex, User-DannyS712
Jcross moved T244076: Security Readiness Review For ChessBrowser extension from Back Orders to Watching on the Security Readiness Reviews board.
Feb 25 2020, 6:20 PM · Community-Tech, secscrum, ChessBrowser, Security Readiness Reviews
Jcross closed T237588: Security review for MachineVision libraries, a subtask of T237596: Add MachineVision dependencies to vendor, as Declined.
Feb 25 2020, 6:16 PM · Structured-Data-Backlog, SDC-Statements (Machine-vision-depicts), MediaWiki-Vendor, MachineVision
Jcross closed T237588: Security review for MachineVision libraries as Declined.

Marking declined as there is no actionable work at this time. Please open a new ticket when / if work is needed on this in the future.

Feb 25 2020, 6:16 PM · secscrum, SDC-Statements (Machine-vision-depicts), Structured-Data-Backlog, Security Readiness Reviews, MediaWiki-Vendor, MachineVision

Feb 24 2020

Jcross added a comment to T189541: Flush private data on Beta Cluster.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is needed here. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:56 PM · Privacy, Beta-Cluster-Infrastructure
Jcross added a comment to T190246: "list" tool loads jQuery from code.jquery.com.

Hi @Legoktm ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is needed here. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:55 PM · Privacy, Tools
Jcross added a comment to T190522: Look and Listen map uses map tiles from OSM.

Hi @TheDJ ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:54 PM · Privacy Engineering, Privacy, Tools
Jcross added a comment to T149465: UserName cookie should not be set when "remember me" is disabled.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:47 PM · Privacy, MediaWiki-User-login-and-signup
Jcross added a comment to T173299: fill email obligatory for users who are signing up by the same IP and browser (Possible Sock puppetry).

Hi @Yamaha5 ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:47 PM · Privacy, MediaWiki-User-login-and-signup
Jcross added a comment to T108505: Privacy Badger interferes with CentralAuth.

Hi @Tgr ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:46 PM · Privacy Engineering, Privacy, MediaWiki-extensions-CentralAuth
Jcross updated subscribers of T89415: looking to understand how frequently mobile ISP/proxy injected http tracking headers appear in the wild.

Hi @ggellerman ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:44 PM · Privacy
Jcross closed T128281: Privacy link does not point to localized policy as Declined.

Thank you, @Yurik ! Cheers

Feb 24 2020, 7:39 PM · WMF-Legal, Privacy
Jcross added a comment to T143001: Wiki sites should delete all their cookies during logout.

Hi @Yurivict ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly. Thank you!

Feb 24 2020, 7:29 PM · Privacy Engineering, Privacy, Wikimedia-General-or-Unknown
Jcross added a comment to T128281: Privacy link does not point to localized policy.

Hi @Yurik ! Security is working on cleaning up our boards a bit and we would appreciate confirmation that this Privacy work is still needed. We were hoping you could take a look and let us know? If you would like to move forward we will ensure it is triaged and assigned accordingly.

Feb 24 2020, 7:24 PM · WMF-Legal, Privacy
Jcross moved T103121: Automate data retention policy for search data from Intake to Done on the Privacy board.
Feb 24 2020, 7:21 PM · Discovery-Search, Privacy, Discovery, CirrusSearch
Jcross closed T103121: Automate data retention policy for search data as Declined.

The original author is disabled and significant time has passed, so we will decline this work for the time being.

Feb 24 2020, 7:20 PM · Discovery-Search, Privacy, Discovery, CirrusSearch

Feb 13 2020

Jcross closed T242792: Update language in security review SOPs to establish timelines and expectations as Resolved.
Feb 13 2020, 6:03 PM · PM, Security-Team
Jcross added a comment to T242792: Update language in security review SOPs to establish timelines and expectations.

Language updated and will continue to monitor and adjust.

Feb 13 2020, 6:03 PM · PM, Security-Team

Feb 11 2020

Jcross added a comment to T240869: Security Review For KaiOS Wikipedia app.

Hi @AMuigai - do you have a specific stop date / date we could begin review yet? Our process is frozen so long as commits are frequently being made. Alternatively, if you could choose a specific commit we could begin reviewing at that point with the understanding that we would *only* be reviewing to that point and further commits would not be included in our assessment.

Feb 11 2020, 6:14 PM · user-sbassett, KaiOS-Wikipedia-app (MVP), secscrum, Security Readiness Reviews, Inuka-Team

Feb 10 2020

Jcross added a comment to T242792: Update language in security review SOPs to establish timelines and expectations.

We've determined that the expectation of "30 days" as a timeframe will only apply once the team has received everything needed to move forward and as long as nothing occurs to hamper / restart our review process. This could include changes to code, which would restart the 30 day timer. I'll look at precise phrasing of this for Readiness reviews, and it will not apply to Concept reviews.

Feb 10 2020, 7:07 PM · PM, Security-Team

Feb 7 2020

Jcross added a comment to T242134: Security Review For Talk pages project.

@JTannerWMF We expect this to be in progress shortly and @sbassett will be in touch with any questions or concerns.

Feb 7 2020, 5:22 PM · secscrum, MW-1.35-notes (1.35.0-wmf.21; 2020-02-25), Security, user-sbassett, Editing-team (Tracking), DiscussionTools, Security Readiness Reviews

Feb 6 2020

Jcross added a comment to T244076: Security Readiness Review For ChessBrowser extension.

@Wugapodes - thanks for submitting this review. Is the goal in working upon and reviewing this extension to eventually get it into WMF production? If so, does it have any sponsoring WMF team or collective of individuals within Tech or Product? if there isn't a WMF sponsor and target deployment date, the Security-Team will have to triage this task as a lower priority for now. Thank you!

Feb 6 2020, 6:13 PM · Community-Tech, secscrum, ChessBrowser, Security Readiness Reviews
Jcross lowered the priority of T244076: Security Readiness Review For ChessBrowser extension from Low to Lowest.
Feb 6 2020, 6:07 PM · Community-Tech, secscrum, ChessBrowser, Security Readiness Reviews
Jcross triaged T244076: Security Readiness Review For ChessBrowser extension as Low priority.
Feb 6 2020, 6:05 PM · Community-Tech, secscrum, ChessBrowser, Security Readiness Reviews
Jcross moved T244076: Security Readiness Review For ChessBrowser extension from Incoming to Back Orders on the Security Readiness Reviews board.
Feb 6 2020, 6:05 PM · Community-Tech, secscrum, ChessBrowser, Security Readiness Reviews

Jan 22 2020

Jcross added a comment to T243398: Security Readiness Review for one skin and five plugins to be used in Tech Blog based on Wordpress.

This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.

Jan 22 2020, 5:19 PM · secscrum, Technical blog, Security Readiness Reviews
Jcross closed T187846: Security Review of Office IT Internal Account Management Tool as Declined.

Closing per email conversation with @bcampbell in OIT- this is an old ticket that no longer requires work from the Security-Team.

Jan 22 2020, 12:03 AM · secscrum, Office-IT, Security Readiness Reviews

Jan 17 2020

Jcross updated subscribers of T242792: Update language in security review SOPs to establish timelines and expectations.

Will review with @JBennett and AppSec team and plan on updating before 1/27/20

Jan 17 2020, 5:29 PM · PM, Security-Team

Jan 16 2020

Jcross added a comment to T229731: Global blocks: if an IP is within two ranges and one is locally disabled, GlobalBlock won't listen to the other one (CVE-2020-10534).

Regretfully, this ticket was outside of the team workflow thus your requests for review were not seen or acted upon by the Security Team in a timely fashion. We apologize for the confusion, as we are working hard to improve and evolve our processes. For future reference, tagging Security is not considered a request for service from the Security Team and following our SOP will ensure our prompt attention to your needs. Thank you - and again, we apologize for the confusion. We are adding our Security-Team tag and will take a look during our next clinic meeting.

Jan 16 2020, 8:04 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Patch-For-Review, user-sbassett, Security, Security-Team, User-Urbanecm, Stewards-and-global-tools, GlobalBlocking

Jan 15 2020

Jcross moved T239940: Security review of OAuth 2.0 patches from In Progress to Our Part Is Done on the Security Readiness Reviews board.
Jan 15 2020, 4:21 PM · secscrum, Security Readiness Reviews, MediaWiki-extensions-OAuth, CPT Initiatives (OAuth 2.0)

Jan 8 2020

Jcross placed T187846: Security Review of Office IT Internal Account Management Tool up for grabs.
Jan 8 2020, 7:58 PM · secscrum, Office-IT, Security Readiness Reviews
Jcross moved T187846: Security Review of Office IT Internal Account Management Tool from In Progress to Back Orders on the Security Readiness Reviews board.
Jan 8 2020, 7:57 PM · secscrum, Office-IT, Security Readiness Reviews

Jan 7 2020

Jcross added a member for Security Readiness Reviews: Jcross.
Jan 7 2020, 7:37 PM
Jcross triaged T242124: Security Review For EventStreamConfig extension as Low priority.
Jan 7 2020, 6:27 PM · secscrum, MW-1.35-notes (1.35.0-wmf.19; 2020-02-11), user-sbassett, Analytics-Kanban, Security Readiness Reviews, Analytics, Event-Platform
Jcross triaged T242134: Security Review For Talk pages project as Low priority.
Jan 7 2020, 6:25 PM · secscrum, MW-1.35-notes (1.35.0-wmf.21; 2020-02-25), Security, user-sbassett, Editing-team (Tracking), DiscussionTools, Security Readiness Reviews

Dec 19 2019

Jcross triaged T240999: Create 'user affiliation' custom drop down field for forms as Medium priority.
Dec 19 2019, 12:21 AM · Phabricator, Security-Team
Jcross updated subscribers of T240492: Create generic security-team request for service intake mechanism.

Massaged a bit @chasemp but @JBennett is going to look as well. https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services has been updated.

Dec 19 2019, 12:09 AM · Phabricator, Security-Team

Dec 18 2019

Jcross added a comment to T240999: Create 'user affiliation' custom drop down field for forms .

@chasemp - talked to JB and we are good to run with just this as a first iteration / attempt at metrics. This list looks accurate (ish) for team names? https://office.wikimedia.org/wiki/Contact_list

Dec 18 2019, 8:27 PM · Phabricator, Security-Team

Dec 13 2019

Jcross added a comment to T239940: Security review of OAuth 2.0 patches.

Hi @CCicalese_WMF - apologies, I'm out of the office. Do you have a date you're aiming for? Let me know and we'll try and get someone on it fairly quickly.

Dec 13 2019, 5:05 PM · secscrum, Security Readiness Reviews, MediaWiki-extensions-OAuth, CPT Initiatives (OAuth 2.0)

Dec 9 2019

Jcross added a comment to T239940: Security review of OAuth 2.0 patches.

Hi @CCicalese_WMF - can you please let us know if this is the only patch set you'd like us to look at? https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OAuth/+/550847/

Dec 9 2019, 4:28 PM · secscrum, Security Readiness Reviews, MediaWiki-extensions-OAuth, CPT Initiatives (OAuth 2.0)
Jcross lowered the priority of T239778: Security review of banner with FB and Twitter share buttons from High to Medium.
Dec 9 2019, 4:21 PM · secscrum, Security Readiness Reviews, Privacy Engineering, MediaWiki-extensions-CentralNotice, Privacy, Fundraising-Backlog

Nov 20 2019

Jcross closed T227726: Security review of preact 8.4.2, a subtask of T225577: Audit component library for MobileFrontend's security, as Declined.
Nov 20 2019, 5:25 PM · Readers-Web-Backlog (Tracking), MobileFrontend (MobileFrontend and MinervaNeue architecture), Technical-Debt
Jcross closed T227726: Security review of preact 8.4.2 as Declined.

We are waiting decisions from the Frontend working group and declining until the direction being taken is more clear.

Nov 20 2019, 5:25 PM · Readers-Web-Backlog (Tracking)

Nov 18 2019

Jcross closed T238268: How to best contact the WMF Security team? as Resolved.

Happy @sbassett could help, and as he mentioned we'll be adding more and refining in the near future. Cheers :)

Nov 18 2019, 5:54 PM · Security-Team

Nov 4 2019

Jcross created T237321: New subtask #2 for Chase.
Nov 4 2019, 9:05 PM · User-chasemp, Security-Team
Jcross created T237320: New Subtask #1 for Chase.
Nov 4 2019, 9:05 PM · Security-Team

Oct 29 2019

Jcross added a comment to T235720: Security concept review for newcomer tasks on Special:Homepage.

Excellent news @JTannerWMF - James is on it and we should have an update for you soon.

Oct 29 2019, 9:32 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage

Oct 28 2019

Jcross added a comment to T235720: Security concept review for newcomer tasks on Special:Homepage.

Hi @JTannerWMF - we've taken a look at this and once WMF-Legal has wrapped up their review we should only need a few days at most.

Oct 28 2019, 5:34 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage

Oct 25 2019

Jcross added a comment to T235720: Security concept review for newcomer tasks on Special:Homepage.

Hi @JTannerWMF, @sbassett beat me to the punch! We'll make a point of reviewing on Monday at our triage meeting and I'll be sure to touch base with you when we know what our timeline will look like.

Oct 25 2019, 9:25 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage

Oct 21 2019

Jcross moved T208188: RFC: Partial opt-out method for Content security policy from In Progress to Incoming on the Security-Team board.
Oct 21 2019, 7:10 PM · Privacy Engineering, Security, Core Platform Team Workboards (Clinic Duty Team), Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team

Oct 15 2019

Jcross triaged T235309: Assess the possibility of data release from a public health related research conducted by WMF and formal collaborators as Medium priority.
Oct 15 2019, 5:38 PM · Privacy Engineering, Privacy, WMF-Legal, Security-Team, Data-release
Jcross assigned T235309: Assess the possibility of data release from a public health related research conducted by WMF and formal collaborators to JFishback_WMF.
Oct 15 2019, 5:05 PM · Privacy Engineering, Privacy, WMF-Legal, Security-Team, Data-release
Jcross triaged T234987: Increase pbkdf2 parameter strengths (2019) as Low priority.
Oct 15 2019, 5:04 PM · Security, Wikimedia-Site-requests, MediaWiki-Authentication-and-authorization, Security-Team

Oct 4 2019

Jcross triaged T143969: Unable to mirror repository from git.legoktm.com into diffusion as Medium priority.
Oct 4 2019, 4:59 PM · cloud-services-team (Kanban), Security-Team, Striker, Phabricator
Jcross moved T143969: Unable to mirror repository from git.legoktm.com into diffusion from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:59 PM · cloud-services-team (Kanban), Security-Team, Striker, Phabricator
Jcross added a comment to T133735: Formalize procedures for doing security releases of MediaWiki extensions.

As an initial approach to get better visibility around security issues for bundled and deployed extensions, we plan to send this supplementary announcement: https://phabricator.wikimedia.org/T232113

Oct 4 2019, 4:57 PM · Documentation, Security-Team
Jcross triaged T133735: Formalize procedures for doing security releases of MediaWiki extensions as Medium priority.
Oct 4 2019, 4:52 PM · Documentation, Security-Team
Jcross triaged T217123: Add tests/CI to wikimedia/security/puppet as Lowest priority.
Oct 4 2019, 4:51 PM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Security-Team, Continuous-Integration-Config
Jcross moved T217123: Add tests/CI to wikimedia/security/puppet from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:51 PM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Security-Team, Continuous-Integration-Config
Jcross added a comment to T217123: Add tests/CI to wikimedia/security/puppet.

There is nothing in the repo and we do not know what plans Chase had / has for this. We will move to our "watching" column for the time being.

Oct 4 2019, 4:51 PM · Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Security-Team, Continuous-Integration-Config
Jcross triaged T214378: Check simple format constraints (no grouping) in PHP instead of SPARQL as Medium priority.
Oct 4 2019, 4:45 PM · Security-Team, Wikidata-Campsite, Wikibase-Quality-Constraints, Wikidata
Jcross triaged T150902: SMS based 2FA as Low priority.
Oct 4 2019, 4:42 PM · Security-Team
Jcross moved T150902: SMS based 2FA from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:42 PM · Security-Team
Jcross triaged T217351: Require original source file(s) to be committed with minified files as Medium priority.
Oct 4 2019, 4:40 PM · Security, JavaScript, Security-Team
Jcross moved T218618: Consider disabling Chrome Lite pages for Wikipedia on Chrome on mobile with Cache-Control: no-transform from Watching to Incoming on the Security-Team board.
Oct 4 2019, 4:38 PM · Privacy Engineering, Performance-Team (Radar), WMF-Legal, Security-Team, Privacy
Jcross triaged T218618: Consider disabling Chrome Lite pages for Wikipedia on Chrome on mobile with Cache-Control: no-transform as Medium priority.
Oct 4 2019, 4:38 PM · Privacy Engineering, Performance-Team (Radar), WMF-Legal, Security-Team, Privacy
Jcross moved T218618: Consider disabling Chrome Lite pages for Wikipedia on Chrome on mobile with Cache-Control: no-transform from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:38 PM · Privacy Engineering, Performance-Team (Radar), WMF-Legal, Security-Team, Privacy
Jcross added a comment to T231954: Increase session length for OTRS ticket system.

Upon review, Security Team is untagging as we will not be working on this ticket.

Oct 4 2019, 4:34 PM · OTRS
Jcross removed a project from T231954: Increase session length for OTRS ticket system: Security-Team.
Oct 4 2019, 4:34 PM · OTRS
Jcross triaged T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled as Medium priority.
Oct 4 2019, 4:32 PM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser
Jcross moved T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled from Incoming to Watching on the Security-Team board.
Oct 4 2019, 4:32 PM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser
Jcross added a comment to T224445: Permit hidden attribute in Sanitizer.

Upon review, Security Team is untagging as we will not be working on this ticket.

Oct 4 2019, 4:22 PM · MediaWiki-Parser
Jcross removed a project from T224445: Permit hidden attribute in Sanitizer: Security-Team.
Oct 4 2019, 4:21 PM · MediaWiki-Parser
Jcross moved T227242: Deploy WebAuthn to Wikimedia Wikis from In Progress to Watching on the Security-Team board.
Oct 4 2019, 4:20 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Wikimedia-Extension-setup, Wikimedia-extension-review-queue, Release-Engineering-Team (Deployment services), Security-Team, Wikimedia-Site-requests
Jcross moved T227242: Deploy WebAuthn to Wikimedia Wikis from Incoming to In Progress on the Security-Team board.
Oct 4 2019, 4:17 PM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Wikimedia-Extension-setup, Wikimedia-extension-review-queue, Release-Engineering-Team (Deployment services), Security-Team, Wikimedia-Site-requests