Talk:Reporting security bugs
When should a bug be reported as a security issue?
Sometimes, I find a bug and I don't really know if it should be considered as a security issue or not. It would be useful to have some criteria on this page.
To give examples: I didn't report phab:T33656, phab:T45137, phab:T102063 and phab:T150796 as security bugs. The last one was marked marked as a security bug afterwards. Should I have reported the others as such?
Of course, I could just mark bugs as security when I'm not sure and let the security team decide. But the resources to fix those issues seem limited (since only a small number of people can see them), so I don't want to needlessly do it.