User:SBassett (WMF)/drafts/SRR SOP new

Original source material: https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Purpose
This document describes the process for requesting a security readiness review (a.k.a. security code review) and having said request be completed by the Security Team. This is the review described within the current Preparing For Deployment documentation, as opposed to a security concept review or privacy review.

What type of project or code triggers this review process?
In theory, any code related to any Wikimedia project could be eligible for review. But given resources and constraints, here are some examples of code that the Security Team either likely will not review or absolutely will not review:

Code not likely to be reviewed:
 * Routine changes which are typically submitted through Gerrit and handled via standard code review
 * Security patches or other discreetly-deployed code
 * Applications running under Cloud VPS, even high-visibility apps like Quarry, etc.
 * Any user-JavaScript or Gadgets which may run on various Wikimedia wikis

Code that will not ever be reviewed:
 * Any variety of stub code - be it a mediawiki extension, service, etc. Boilerplate code is just that and cannot serve as a proxy for reviewing code that may one day exist.
 * Any Work-In-Progress (WIP) patch sets, regardless of their state of completion. If the code is in a stable, testable state, it should be code-reviewed and merged via gerrit, github, etc.
 * Any relevant patch sets which have not been code-reviewed and merged. Again, if the code is in a stable, testable state, it should be code-reviewed and merged via gerrit, github, etc. Exceptions can be made to this policy if a code merge is blocked on another, key review (say from a member of the Performance Team or SRE) but it will be the responsibility of the requester to ask for such an exception from the Security Team and confirm the current state of the code.