Security/SOP/Access to Phabricator Security Issues

SOP Name: WIKISEC-PHABSECACCESS-SOP

SOP Description: Process to gain access to sensitive and nonpublic issues in Phabricator

Authority: Director of Security

Last reviewed on: 28 February 2019

Author(s): Wikimedia Security Team

Data Classification: Public

Purpose
Access to view and edit private Security issues in Phabricator by default is limited, and granted on an as-needed basis at the discretion of the Wikimedia Security Team. Access to individual tasks related to a particular issue or incident does not, by itself, constitute the need for access to all Security issues.

Procedure

 * 1) Create a Phabricator account
 * 2) Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement. If you're already a working WMF employee, you have likely already signed an NDA as part of your Terms of Employment and can skip this.  Real names are required at this step for NDA/Legal purposes, but are only visible to required personnel.
 * 3) Set up Two-Factor Authentication for your Phabricator account under Settings → Authentication → Multi-Factor Auth.
 * 4) If you are a WMF employee then link your Staff SUL account that ends in (WMF) or -WMF to your Phabricator account. This should be created for you during the onboarding process by OIT.
 * 5) Submit an access request, supplying your Phabricator username, and the reason(s) you need access to private Security issues in Wikimedia Phabricator. Do not include private information in the access request.
 * 6) If you are a WMF employee then your manager and the Security Team will sign off on your access.  If you are not a WMF employee then access is granted at the discretion of the Security team.  Please note that in the latter case, there may be both a lengthier time period for approval and more onerous requirements for approval.

Requests are reviewed on a weekly basis in the Security Team clinic meeting, which is usually on Monday of each week.

Definitions
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community