Wikimedia Security Team/Prioritization of bugs

This page is currently a draft. More information and discussion about changes to this draft may be on the discussion page.

The Security Team will generally set the priority of new security bugs based on the anticipated risk (combination of both impact and likelihood of exploitation). When assessing the impact, we try to account for both WMF-managed sites and other users of MediaWiki.

Issues that affect the underlying system or violate our privacy policy. Remote code execution, leaking private data to the public, "High" impact vulnerabilities that are being actively exploited.

• Command Injection
• SQL Injection
• Publicly exposing IP of Editors
• Publicly exposing suppressed data
• Gaining additional, arbitrary user rights

Issues that affect the security of the application. "Critical" impact issues in extensions that are not installed on WMF wikis, or "Normal" impact issues that are being actively exploited.

• Impersonating another user
• Exploitable XSS
• CSRF (gaining access to a users anti-csrf token, or CSRF in a sensitive function)
• Site DoS

• CSRF in non-sensitive functionality
• XSS with significant restriction on characters / length
• XSS in browsers used by < 10% of our users
• Failure in anti-spam countermeasures
• Failure in anti-vandalism countermeasures

• Vulnerabilities that require a second vulnerability in order to carry out
• XSS on non-WMF-project domain
• Missing hardening