Reporting security bugs/zh

本页面介绍了提交与维基媒体基金会运营或维护的软件及服务有关的安全漏洞的流程. 这包括MediaWiki及诸如维基百科等维基媒体项目.

我们允许负责任的披露，同时希望任何在我们的软件生态中发现安全漏洞的人都能保持宽容、谨慎行事.

什么是安全漏洞
以下列举的只是一个大致的标准，而非详尽列表.
 * 由于受到攻击，造成至少一项维基媒体生态服务的可用性受到影响时.


 * 托管于维基媒体基金会或附属实体的数据完整性存在被破坏、篡改或以未经授权的方式修改的风险时.


 * 维基媒体基金会或其附属实体拥有的数据的机密性受到损害，如本应限制访问的私密信息被刻意或无意地泄露、窃取或以未经授权的方式公开时.

报告安全问题
如需报告安全问题，请发送邮件至[mailto:security@wikimedia.org security&#64;wikimedia.org]，或使用Phabricator上的“Report Security Issue”（报告安全问题）表单.

此类报告在创建时不会对公众公开. 在问题解决后，请参阅下文了解后续流程.

在安全问题报告中应包含什么
如果您通过向[mailto:security@wikimedia.org security&#64;wikimedia.org]发送邮件报告问题，请告诉我们您是否有Wikimedia Phabricator账号，以便我们将您添加至我们创建的bug中，这样您就可以追踪后续进度.
 * 复现问题的逐步流程
 * 如果可能的话，请提供概念验证（Proof of Concept）代码
 * 如果问题可在维基媒体计划（如维基百科或维基词典）中复现，请指出是哪个计划，因为不同站点的配置不一样
 * 如果适用，请指出您在问题发生时是否登入或登出了账户
 * 对于XSS，或问题涉及到特定的浏览器或插件，请指出您使用的浏览器及其版本号. 所使用的任何软件的具体版本号都会有帮助.
 * OWASP vulnerability category (using OWASP Top 10 for 2017), or CWE id (using CWE By Research Concepts)
 * CVE if assigned (using the NIST CVE database)
 * Any other information needed to investigate and reproduce the issue

Phabricator账户能通过现有的SUL Wiki账户创建.

What happens when security issues are reported
We will:
 * Determine whether we consider it to be a security issue
 * Attempt to reproduce the issue, and assign a priority to the bug based on its impact.
 * A patch will be added in Phabricator, and another person will review it.
 * The patch should contain regression tests, whenever possible.
 * The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.
 * If applicable, the patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.
 * Unless you explicitly indicate that certain information must not be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement. If you report the issue via email to security@undefinedwikimedia.org the email itself may be publicly released. This may include your email address and signature unless you request otherwise. The Phabricator tag PermanentlyPrivate will ensure reports are kept confidential in perpetuity.

Crediting reporters

 * Credit will be given to the reporter in the commit message fixing the issue
 * Credit will be given to the reporter in the official announcement email going to the MediaWiki-announce mailing lists
 * Credit will be given on Wikimedia Security Team/Thanks for vulnerabilities in MediaWiki core or a bundled library, skin, or extension.
 * Currently, there is no budget for security reports. This means no bounties are paid by Wikimedia Foundation for discovering security bugs on these projects, either in money or in merchandise.

Tracking report remediation
When possible during the remediation process, the security bugs should have comments that include: Reporter access to their own authored reports is standard, but to gain access to security protected issues generally there is a separate process
 * Step-by-step instructions to reproduce further issues
 * Links to the commits that introduced the bug
 * Links to the Gerrit changesets that fixes the bug

Contributing patches
If you would like to provide a patch for a security bug, please add it as an attachment to the Phabricator task. You can either drag-and-drop the patch into the comment area, or include a diff of the patch as a comment.

Please do not submit patches to Gerrit. All Gerrit changes (including "drafts") are publicly accessible.
 * See Creating a Security Patch section on wikitech for steps to create these patches, and Security patches section for how these patches are deployed.