Reporting security bugs

This page documents reporting security bugs. We support responsible disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance.

Reporting a vulnerability
To report a vulnerability in MediaWiki, please email [mailto:security@wikimedia.org security&#64;wikimedia.org] or open a bug in Phabricator by using the Report Security Issue form. Such reports will not be publicly visible.

Please include in your report
When you report a security vulnerability in MediaWiki, please provide:
 * Step-by-step instructions to reproduce the issue, or proof-of-concept code demonstrating the issue
 * If the vulnerability can be reproduced on a Wikimedia wiki such as Wikipedia or Wiktionary, please indicate which wiki, as site configurations vary
 * Please indicate if you are logged in or logged out when the issue occurs
 * For XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using

If you report the vulnerability by email to [mailto:security@wikimedia.org security&#64;wikimedia.org], let us know if you have a Wikimedia Phabricator account, and we will add you to the bug we create so you can track the status.

Patches
If you would like to provide a patch for a security bug, please add it as an attachment to the Phabricator task. You can either drag-and-drop the patch into the comment area, or include a diff of the patch as a comment. Please do not add it as a patchset in Gerrit. All Gerrit patchsets (including "drafts") are publicly accessible.


 * See Developing security patches for more information about developing patches for security issues.
 * See How to deploy code for how these patches are deployed.

What happens when I report a bug
When you report a security flaw in MediaWiki, we will:
 * Determine whether we consider it to be a security issue in MediaWiki's threat model or not
 * Attempt to reproduce the issue, and assign a priority to the bug based on its impact.
 * A patch will be added in Phabricator, and another person will review it.
 * The patch should contain regression tests, whenever possible.
 * The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.
 * The patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.
 * Unless you explicitly indicate that certain information shouldn't be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement. If you report the issue via email to security@wikimedia.org, the email may be publically released including your email address and signature, unless you ask that some information from the email not be published.
 * Credit will be given to the reporter in the commit message fixing the issue
 * Credit will be given to the reporter in the official announcement email going to the MediaWiki-announce mailing list
 * Credit will be given on Wikimedia Security Team/Thanks for vulnerabilities that are in MediaWiki core or a bundled extension [Todo: Clarify process around non-MediaWiki core security bugs]
 * [Proposed, as of right now this does not happen] For Security issues in MediaWiki core or an extension, the reporter will be added to a special "Security Researchers" section of the page Special:Version/credits and the CREDITS text file (in the source code) included with MediaWiki.

Tracking
When possible during the remediation process, the security bugs should have comments that include:
 * Step-by-step instructions to reproduce the issue (if not included in the initial report)
 * Links to the commits that introduced the bug
 * Link to the Gerrit changeset that fixes the bug
 * OWASP vulnerability category (using OWASP Top 10 for 2017), or CWE id (using CWE By Research Concepts)
 * CVE if assigned (using the NIST CVE database