Wikimedia Security Team/Documentation

The Wikimedia Security team is overhauling much of our collective documentation. This page explains what and how we're doing it.

To report security bugs, vulnerabilities or other issues please follow our process.

Introduction
Security is a broad topic across the Wikimedia Foundation and the wider community.

Contexts when we talk about Security include (but are not limited to):


 * Training materials published by community members for the wider world
 * Training materials for WMF staff
 * Training materials for Mediawiki developers
 * Information about the Wikimedia Foundation Security Team
 * Information about Wikimedia Foundation Security Policy
 * Details about Mediawiki as a project
 * Standard Operating Procedures (SOPs) for reporting issues
 * Procedural guides for implementation of features or extensions
 * Governance issues
 * Compliance issues
 * Risk management frameworks

These areas can also have different practical outcomes for different projects and communities, and so there is a lot to digest and sort through to find out about any particular topic. Because of this complexity, the Wikimedia Security team is adopting a few strategies to maintain the spaces in which it curates documentation. The scope is only pages which the Wikimedia Security team is committed to maintaining in service to other teams and communities.

Goals for this documentation strategy

 * Improve discoverability through consistency in structure
 * Improve consistency through documenting the intended structure and expectations (this page, among others)
 * Improve quality through active curation
 * Improve transparency by continually examining the need for confidentiality where it exists

Use of a predictable landing page in /wiki/Security
On the applicable projects we plan to use /wiki/Security as a common landing page. These pages will be interlinked between projects, and will strive to function as a funnel for the user to the appropriate content. The intention is that this common entry point will allow us to structure other content around it, and as subpages under it.

Curation guiding principles
Pages that relate to the Wikimedia Security team can sometimes have unusual or distinct best practices:


 * Sometimes stale content is worse than no content as, even in the case of draft of other notices, users will acquire a false sense of safety. In these cases, completely stagnant pages for which there is no maintained current alternative may be best redirected to the landing page of /wiki/Security, or in the case of team oriented documentation to the team's landing page.
 * Use of subpages for discovery under /wiki/Security is encouraged if consistent
 * Office.wikimedia.org should only be used for confidential content which is not public. Other pages, even if informal, should live on mediawiki.org
 * Use of page moving as process for content maturity development is encouraged if consistent and documented. Example for Policy creation: /wiki/Security/Policy/Draft/Foo (initial wording) => /wiki/Security/Policy/Proposed/Foo (soliciting feedback) => /wiki/Security/Policy/Foo (as a redirect to version for translation on meta once approved).
 * Define an official process and a single page for reporting security issues. This should be referenced (at a minimum) on every /wiki/Security landing page.