Wikimedia Security Team/Prioritization of bugs

The Security Team will generally set the priority of new security bugs based on the anticipated risk (combination of both impact and likelihood of exploitation). When assessing the impact, we try to account for both WMF-managed sites and other users of MediaWiki.

Unbreak Now!
Issues that affect the underlying system or violate our privacy policy. Remote code execution, leaking private data to the public, "High" impact vulnerabilities that are being actively exploited.
 * Command Injection
 * SQL Injection
 * Publicly exposing IP of Editors
 * Publicly exposing suppressed data
 * Gaining additional, arbitrary user rights

High
Issues that affect the security of the application. "Critical" impact issues in extensions that are not installed on WMF wikis, or "Normal" impact issues that are being actively exploited.
 * Impersonating another user
 * Exploitable XSS
 * CSRF (gaining access to a users anti-csrf token, or CSRF in a sensitive function)
 * Site DoS

Normal

 * CSRF in non-sensitive functionality
 * XSS with significant restriction on characters / length
 * XSS in browsers used by < 10% of our users
 * Failure in anti-spam countermeasures
 * Failure in anti-vandalism countermeasures

Low

 * Vulnerabilities that require a second vulnerability in order to carry out
 * XSS on non-WMF-project domain
 * Missing hardening