In an effort to create a repeatable, streamlined process for consumption of security services the Security Team has been working on changes and improvements to our workflows. Much of this effort is an attempt to consolidate work intake for our team in order to more effectively communicate status, priority and scheduling. This is step 1 and we expect future changes as our tooling, capabilities and processes mature.

How to collaborate with the Security Team

The Security Team works in an iterative manner to build new and mature existing security services as we face new threats and identify new risks. For a list of currently deployed services available in this iteration please review our services page.

The initial point of contact for the majority of our services is now a consistent Request For Services [2] (RFS) form [3].

The two workflow exceptions to RFS are the Privacy Engineering [4] service and Security Readiness Review [5] process which already had established methods that are working well.

If the RFS forms are confusing or don't lead you to answers you need try security-help@wikimedia.org to get assistance with finding the right service, process, or person

security@wikimedia.org will continue to be our primarily external reporting channel

Coming changes in Phabricator

We will be disabling the workboard on the Privacy [6] project. This workboard is not actively or consistently cultivated and often confuses those who interact with it. Privacy is a legitimate tag to be used in many cases, but the resourced privacy contingent within WMF will be using the Privacy engineering [7] component.

We will be disabling the workboard for the Security [8] project. Like the Privacy project this workboard is not actively or consistently cultivated and is confusing. Tasks which are actively resourced should have an associated group [9] tag such as Security Team [10].

The Security project will be broken up into subprojects with meaningful names that indicate user relation to the Security landscape. This is in service to Security no longer serving double duty as an ACL and a group project. This closes long standing debt and mirrors work done in T90491 for SRE to improve transparency. This means an ACL*Security-Issues project will be created and Security will still be available to link cross cutting issues, but will also allow equal footing for membership for all Phabricator users.

Other Changes

A quick callout to the consistency [11] and Gerrit sections of our team handbook [12]. As a team we have agreed that all changesets we interact on need a linked task with the Security-Team tag.

security@ will soon be managed as a Google group collaborative inbox [13] as outlined in T243446, This will allow for an improved workflow and consistency in interactions with inquiries.

Thanks
John

[1] Security Services
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Services
[2] RFS docs
https://www.mediawiki.org/wiki/Security/SOP/Requests_For_Service
[3] RFS form
https://phabricator.wikimedia.org/maniphest/task/edit/form/72/
[4] Privacy Engineering form
https://form.asana.com/?hash=554c8a8dbf8e96b2612c15eba479287f9ecce3cbaa09e235243e691339ac8fa4&id=1143023741172306
[5] Readiness Review SOP
https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews
[6] Phab Privacy tag
https://phabricator.wikimedia.org/tag/privacy/
[7] Privacy Engineering Project
https://phabricator.wikimedia.org/project/view/4425/
[8] Security Tag
https://phabricator.wikimedia.org/tag/security/
[9] Phab Project types
https://www.mediawiki.org/wiki/Phabricator/Project_management#Types_of_Projects
[10] Security Team tag
https://phabricator.wikimedia.org/tag/security-team/
[11] Security Team Handbook
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Handbook#Consistency
[12] Secteam handbook-gerrit
https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Handbook#Gerrit
[13] Google collab inbox
https://support.google.com/a/answer/167430?hl=en