Hi everyone,
Currently we only credit people who report security vulnerabilities at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks (which basically nobody reads or knows exists) and sometimes in the commit message and release announcements. Given such people are instrumental in keeping MediaWiki secure, I think we should also credit them in the CREDITS file. I propose adding another section to the file - "Vulnerability Reporters", listing the names of everyone who has reported a security vulnerability in either MediaWiki or a bundled extension.
Thoughts?
-- Brian