Reporting security bugs

Reporting a vulnerability
To report a vulnerability in MediaWiki, please email security&#64;wikimedia.org or open a bug in bugzilla using the Security component. Bugs in the Security component will not be publicly visible.

Please include in your report
When you report a security vulnerability in MediaWiki, please provide:
 * Step-by-step instructions to reproduce the issue, or proof-of-concept code demonstrating the issue
 * If the vulnerability can be reproduced on a WMF wiki, please indicate which wiki as site configurations vary
 * Please indicate if you are logged in or logged out when the issue occurs
 * For XSS or vulnerabilities that require a specific browser or browser plugin, please indicate which browser and version you are using

If you report the vulnerability by email to security&#64;wikimedia.org, let us know if you have a Wikimedia Bugzilla account, and we will add you to the bug we create so you can track the status.

What happens when I report a bug
When you report a security flaw in MediaWiki, we will:
 * Attempt to reproduce the issue, and assign a priority to the bug based on its impact.
 * A patch will be added in bugzilla, and another person will review it.
 * The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.
 * The patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.
 * Unless you explicitly indicate that certain information shouldn't be published, we will make the bugzilla bug public when the fix is released, and credit you in the release announcement.

Tracking
When possible during the remediation process, the security bugs should have comments that include:
 * The commit or commits that introduced the bug
 * Link to the gerrit commit fixing the bug
 * OWASP vulnerability category (using OWASP's top 10-2013), or CWE id
 * CVE if assigned