On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk krenair@gmail.com wrote:
Chris, why don't we leave privacy policy compliance to the users posting on the bug? Wikimedia personal user data shouldn't be going to the security product.
There are a few cases where there may be legitimate private data in a security bug ("look, sql injection, and here are some rows from the user table!", "Hey, this was supposed to be suppressed, and I can see it", "This user circumvented the block on this IP"). But there might be ways to flag or categorize a report as also including private data? Someone with more bugzilla experience would need to comment.
Why does WMF get the right to control by access to MediaWiki security bugs anyway? Could we not simply host MediaWiki stuff externally? Perhaps on the servers of any other major MediaWiki user.
This certainly could be done. That "other major MediaWiki user" would have to be someone everyone trusts, and preferably with a strong track record of being able to keep their infrastructure secure. If there's a legitimate proposal to try it, let's definitely discuss.
Alex Sent from phone
On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo tylerromeo@gmail.com wrote:
Hey everybody,
So today at the iSEC Partners security open forum I heard a talk from Zane Lackey, the former security lead for Etsy, concerning the effectiveness of bug bounties.
He made two points:
- Bug bounties are unlikely to cause harm, especially for Wikipedia,
which
I asked him about, because the mere popularity of our service means we are already being scanned, pentested, etc. With a bounty program, there will be incentive
for
people to report those bugs rather than pastebin them.
- Even without a monetary reward, which I imagine WMF would not be able
to
supply, crackers are motivated simply by the "hall of fame", or being able to be recognized for their efforts.
Therefore, I thought it may be beneficial to take that over to Wikipedia
and
start our own bug bounty program. Most likely, it would be strictly a hall of fame like structure where people would be recognized for submitting bug reports (maybe we could even use the OpenBadges extension *wink* *wink*). It would help by increasing the
number
of bugs (both security and non-security) that are found and reported to us.
Any thoughts? (Of course, Chris would have to approve of this program
before
we even consider it.)
I've been thinking of at least putting up a list of top contributors on mediawiki.org for a while, and just hadn't had the time to do it. If anyone wants to compile that list from the list of closed security bugs, I'd be very supportive.
As for a more official program, the downside that I predict we would quickly hit (from talking to a few people who have run these) is the high volume of very low quality reports that have to be investigated and triaged. Which is something that just takes time from a human... so my evil_plans.txt towards this was (I really had almost this exactly in my todo list):
- Get more volunteers access to security bugs
** {{done}} get list of top contributors ** Find out from Philippe how to get a bunch of volunteers identified *** Doh, we're probably changing our identification process soon. On hold.
So, I was planning to wait until we have a more streamlined process for getting volunteers access to data that could potentially be covered by our privacy policy, then invite some people who have contributed significantly to MediaWiki's security in the past to get access to those bugs and help triage/assign/fix bugs, then look into starting something official or semi-official. But if a few of you would be willing to deal with our current identification/NDA process and are willing to help out investigate report, I'm happy to start working on it sooner.
-- Tyler Romeo 0xC86B42DF
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l