OK, so really the process that we need here is:
1) Get more people on the security team via NDA and whatnot (sign me up, by the way,
2) Develop a triage system to quickly investigate and handle invalid and duplicate bugs
3) Determine when and how we’re going to do the program
4) Do it.
From: Brian Wolff <bawolff(a)gmail.com>
Reply: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>>
Date: June 26, 2014 at 0:34:54
To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>>
Subject: Re: [Wikitech-l] MediaWiki Bug Bounty Program
On 6/26/14, Chris Steipp <csteipp(a)wikimedia.org> wrote:
On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk
compliance to the users posting
the bug? Wikimedia personal user data shouldn't be going to the security
There are a few cases where there may be legitimate private data in a
security bug ("look, sql injection, and here are some rows from the
user table!", "Hey, this was supposed to be suppressed, and I can see
it", "This user circumvented the block on this IP"). But there might
be ways to flag or categorize a report as also including private data?
Someone with more bugzilla experience would need to comment.
Why does WMF get the right to control by access
to MediaWiki security bugs
anyway? Could we not simply host MediaWiki stuff externally? Perhaps on
servers of any other major MediaWiki user.
This certainly could be done. That "other major MediaWiki user" would
have to be someone everyone trusts, and preferably with a strong track
record of being able to keep their infrastructure secure. If there's a
legitimate proposal to try it, let's definitely discuss.
Personally I'd prefer that MediaWiki related support software stay
hosted by WMF (at least for the foreseeable future). WMF just seems
like the logical people to host it, and I don't see any harm in
MediaWiki being a "Wikimedia project" in a similar sense as wikipedia
is a Wikimedia project. What I would like to see though is a mediawiki
world where WMF is not special. What I mean by that is that being a
WMF employee/contractor wouldn't get you any special treatment -
trusted people would get special access where needed because they're
trusted and have demonstrated their competence. A WMF staffer would
have to go through the same procedure as anyone else would have to to
get any sort of special access. Much of the people who have special
access would still be WMF employees, since WMF employs most senior
developers, but it wouldn't be "you're a wmf employee = here's access
to everything even if you don't need it", "you're not a WMF employee =
have to jump through a million hoops plus sign something in blood plus
bribe someone to get access to things that would be extremely helpful
to your work".
Wikitech-l mailing list