OK, so really the process that we need here is:
1) Get more people on the security team via NDA and whatnot (sign me up, by the way, obviously) 2) Develop a triage system to quickly investigate and handle invalid and duplicate bugs 3) Determine when and how we’re going to do the program 4) Do it.
-- Tyler Romeo 0xC86B42DF
From: Brian Wolff bawolff@gmail.com Reply: Wikimedia developers wikitech-l@lists.wikimedia.org> Date: June 26, 2014 at 0:34:54 To: Wikimedia developers wikitech-l@lists.wikimedia.org> Subject: Re: [Wikitech-l] MediaWiki Bug Bounty Program
On 6/26/14, Chris Steipp csteipp@wikimedia.org wrote:
On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk krenair@gmail.com wrote:
Chris, why don't we leave privacy policy compliance to the users posting on the bug? Wikimedia personal user data shouldn't be going to the security product.
There are a few cases where there may be legitimate private data in a security bug ("look, sql injection, and here are some rows from the user table!", "Hey, this was supposed to be suppressed, and I can see it", "This user circumvented the block on this IP"). But there might be ways to flag or categorize a report as also including private data? Someone with more bugzilla experience would need to comment.
Why does WMF get the right to control by access to MediaWiki security bugs anyway? Could we not simply host MediaWiki stuff externally? Perhaps on the servers of any other major MediaWiki user.
This certainly could be done. That "other major MediaWiki user" would have to be someone everyone trusts, and preferably with a strong track record of being able to keep their infrastructure secure. If there's a legitimate proposal to try it, let's definitely discuss.
Personally I'd prefer that MediaWiki related support software stay hosted by WMF (at least for the foreseeable future). WMF just seems like the logical people to host it, and I don't see any harm in MediaWiki being a "Wikimedia project" in a similar sense as wikipedia is a Wikimedia project. What I would like to see though is a mediawiki world where WMF is not special. What I mean by that is that being a WMF employee/contractor wouldn't get you any special treatment - trusted people would get special access where needed because they're trusted and have demonstrated their competence. A WMF staffer would have to go through the same procedure as anyone else would have to to get any sort of special access. Much of the people who have special access would still be WMF employees, since WMF employs most senior developers, but it wouldn't be "you're a wmf employee = here's access to everything even if you don't need it", "you're not a WMF employee = have to jump through a million hoops plus sign something in blood plus bribe someone to get access to things that would be extremely helpful to your work".
--bawolff
_______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l