Approved

I am the contract contact person, and the end date can be listed as June 30, 2023. Thanks!

Approved

Thank you so much for the quick reply. Exciting!!

Hi @BBlack and @Vgutierrez - could you please provide an update or some guidance around your expected timeline for this? Please let us know if anything else is required on our end. Thanks!

HI @WMDE-leszek, my apologies but due to some unexpected resourcing issues we expect to complete this before the end of January. Again, we are sorry for the delay and will do our best to turn this out as soon as possible after the holiday break.

Approved

Approved

Approved

You have the +1 from me to give access. I see no problem here.

Hey @Ottomata , could we possible have the files related to T299315: Automated attempts to log into a Phab account transmitted to us securely and then that and the rest can be deleted?

@Jelto You have my approval as Manfredi's manager.

@RLazarus You have my approval

Assigning to @Dsharpe and moving to Security Team incoming for triage and review.

After reviewing the initial intent of this ticket, I believe that this plan no longer fits in with the direction we are taking with our overall intake process.

@Aklapper that's an intentionally vague reference to various improvements we need to make as a team both in and out of phab.

Hi @Urbanecm_WMF - can you please let us know what your target deployment date is? It will help us to resource this appropriately. Please know that next quarter (Q1) would be the soonest we'd be able to get you in queue for review. Thank you!

Thanks, @ori . These assumptions sound correct to us and make a beta deployment for this extension low risk. While the Security Team is not in the business of giving thumbs up/thumbs down approvals, low risk is automatically accepted by the Foundation thus unblocking beta deployment. I hope this is helpful and helps you to move forward with the project.

This won't be revisited until related upstream workflows are addressed.

@sbassett we have a pile of these without tasks, boards, or members. We're aware and incorporating into workflow changes / development. Expect a team review of it all...eventually.

Thank you for doing this work, we appreciate your efforts in trying to get this extension to production. Unfortunately, the Security team is unable to assign a risk rating based upon a review not performed by a member of the Security team or an approved vendor.

Sending over to @Dsharpe as a supplier assessment. David, please let me know if we should send these your way via some other workflow?

@Volker_E @Jdlrobson Please respond to our previous message by April 20 or we will need to move this to our backlog. Thanks!

@ori We will discuss at our next AppSec scrum and provide an update next week. Thanks!

Apologies for the lack of updates @Jdlrobson - we do have a vendor lined up to complete this and will be in touch as they move forward. Thank you for your patience.

Hi, just a quick reminder that, as mentioned above, we will be unable to prioritize and schedule a security review until we've received an intended production support plan, including any potential Foundation team sponsorship. Please review our SOP for details: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Hi @SLien_WMF - we'd love to schedule a quick chat to clarify. Could you please email me and let me know who would attend, and I will get something scheduled? Thanks!

@CKoerner_WMF Looks like we are all set for now and @Reedy expects to finish next week. Have a great weekend :)

Hi @MBinder_WMF - I noted that we still had it marked "Needs Triage" and wanted to correct that error. Adjust priority as needed. There is discussion happening around the remaining question and it was raised again just yesterday. We'll pursue resolution for you as soon as possible and apologize for the delay.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

We are untagging as there is currently no path to production that we are aware of. Should this change, please feel free to tag us back in and we will triage.

Untagging as there has been no activity. Please feel free to re-tag if this moves forward and we will be happy to triage.

Sending to @Dsharpe for vendor assessment

Untagging as there has been no activity. Please feel free to re-tag if this moves forward and we will be happy to triage.

@SBisson @sbassett I'll place in planning queue for Q4 (https://phabricator.wikimedia.org/tag/secscrum/) and we'll be in touch if anything changes / is of concern. Thanks!

@bd808 we have placed you in queue for next quarter, with work expected to begin in May for a late June launch date. Please note that all relevant code should be in a production-ready state (close to deployment with low volatility) to maintain this estimated timeline per our SOP: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Hi @bd808 - thank you for submitting this early! We will review in our call tomorrow and be in touch with any questions or concerns we have about getting you in queue.

Hi @AnneT -as we mentioned in our call, we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience, and please feel free to reach out at any time!

Hi @AnneT - we're in the process of finalizing our queue for Q3 and we're wondering if you can let us know how close this is to production ready/what your timeline is? Thank you!

Hi @Jdlrobson - we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter, and will do our best to meet your target deployment date: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience as we work through this, and please feel free to reach out at any time!

Hi @CKoerner_WMF - we're revamping our scheduling process a bit to provide more clarity and transparency around our workload management and prioritization process. You'll see that we've placed you into queue for this quarter: https://phabricator.wikimedia.org/tag/secscrum/ and @sbassett or @Reedy will be in touch with any questions or concerns. Thanks for your patience as we work through this, and please feel free to reach out at any time!

@DannyS712 I've just spoken with @Reedy and at this point "by the end of the quarter" is what we are in a position to commit to. We appreciate that the grant was scheduled for the end of November, but I'm afraid we are still limited by pandemic resourcing, such as it is.

@Aklapper what magic did you work? I just got 5 verification emails :)

Thanks so much for working on this. When you get to step #5 above - where you receive an email to the new address? I never get that email.

@JTannerWMF - we've taken a look and would appreciate it if you would fill out the Security Readiness Review form. Thanks!

@Aklapper I am seeing both -ctr as primary and jcross as added but needing verification. I've clicked "verify" several times over several days and never received anything.

Hi @nnikkhoui - we were told that you are the new contact for both this ticket and https://phabricator.wikimedia.org/T257734. We're wondering if there are any changes we need to know about and whether you have a new deployment timeline? Thanks so much.

Hi @CKoerner_WMF - we just wanted to touch base as this is noted as a November target deployment date. With all of the holidays this month and a somewhat reduced capacity, we are looking to complete this towards the end of the month. We hope that works for your timeline?

HI @MusikAnimal - we've had a few bumps in the road recently and we do plan to complete it this quarter. We'll be in touch with any questions or concerns and we apologize for the delay.

Hi @Tchanders - we've moved this ticket to In Progress and I believe we are planning on having feedback for you in the next two weeks. Please let us know if you have any questions as we move forward. Thanks!