I’ll be frank. I care a lot more about the security of MediaWiki as a software product, as well as the security of its customers (both WMF and third-party) than I do about some made-up notion of “open access” to security bugs.
I think it makes complete sense to have people with access to security bugs sign an agreement saying they will not release said bugs to the public until they have been fixed, released, and announced properly. -- Tyler Romeo 0xC86B42DF
From: MZMcBride z@mzmcbride.com Reply: Wikimedia developers wikitech-l@lists.wikimedia.org> Date: June 26, 2014 at 9:44:25 To: Wikimedia developers wikitech-l@lists.wikimedia.org> Subject: Re: [Wikitech-l] MediaWiki Bug Bounty Program
Any process that involves volunteers signing non-public, indefinite vows of secrecy and silence are antithetical to Wikimedia's values and mission. This isn't a cult. Our bedrock principles are open access and transparency.