I’ll be frank. I care a lot more about the security of MediaWiki as a software product,
as well as the security of its customers (both WMF and third-party) than I do about
some made-up notion of “open access” to security bugs.
I think it makes complete sense to have people with access to security bugs sign an
agreement saying they will not release said bugs to the public until they have been
fixed, released, and announced properly.
From: MZMcBride <z(a)mzmcbride.com>
Reply: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>>
Date: June 26, 2014 at 9:44:25
To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org>>
Subject: Re: [Wikitech-l] MediaWiki Bug Bounty Program
Any process that involves volunteers signing non-public, indefinite vows
of secrecy and silence are antithetical to Wikimedia's values and mission.
This isn't a cult. Our bedrock principles are open access and transparency.