To report security bugs, vulnerabilities or other issues please follow our process.
=> Adding tags to a task does not change the visibility (access lists/ACLs) for that task (or any object). <=
- Only members of the #acl*security group can see access control fields to modify them in Phabricator
- Adding CC users to protected tasks allows access and can be done by users who are not members of acl*security
- Protect as security issue is a transform option on the right panel for all tasks. This is the correct way to convert a regular task to a security issue task.
- New tasks reported using recognized methods fall under the Wikimedia Security Team's Workflow and Intake process.
- acl*<foo> projects are the only valid projects to be used as part of an access list for any object in Phabricator. Similarly, any object not following the acl* convention should be open for membership. The only documented exception at this time is WMF-NDA, which is a bit of technical debt that needs to be addressed.
- Phabricator Spaces are available to create an easier to manage and understand (but less flexible) sensitive task workflow.
- PermanentlyPrivate is a project that can be added to an already sensitive task to indicate that it cannot be made public in the future. This may be a product of user information, protected logs, or other privacy issues.
Security Subtask Type Details
These are the requirements and functionality of the Security Issue subtask type.
- A basic reporting form that has bare needed fields should be available for all users
- A basic+ editing form should be available which allow adding context to the basic reporting. I.E. editing fields not shown on the basic creation form. The basic+ editing form can also be used for creation but isn't marked as a default creation form.
- Adding a subscriber (CC) allows access, including editing of the task, but CC users cannot change the task ACLs if they are not a member of acl*Security
- An advanced reporting and editing form should be available to members of Security
- An additional advanced reporting and editing form should be available to members of #acl*security-team which allows editing speciality fields used for team reporting purposes (summary, impact), that require prior knowledge to determine or are representative of formulaic output (risk rating). These field values show up on the task when present for all viewers.