Talk:Reporting security bugs

This page partly duplicates Security and is less discoverable. Can the two be merged or coordinated in some way, please? --Nemo 12:05, 31 January 2017 (UTC)Reply

Support Common sense says merging is the right thing to do. @Pppery? Tactica (talk) 14:59, 26 July 2025 (UTC)Reply

Ehh... IMO having a separate 'reporting security bugs' page might make sense. I haven’t checked the 2017 versions of the two pages, but it doesn't currently look like there's much duplication between the two: at a first glance, Security reads more like a high-level overview (and links to this page), whereas Reporting security bugs seems like a more detailed explanation about how to report security bugs in particular. (That's not to say this page doesn't need updating, though - some parts seem like they are no longer accurate to what currently happens.)

(It's probably also worth noting that this page seems like the de facto security policy of all (Wikimedia-hosted? Wikimedia-deployed?) repositories, with (e.g.) it being linked from MediaWiki core's SECURITY file, and from the Phabricator homescreen. If this page didn't exist, then IMO we'd need another security policy to replace it with.)

Best, ‍—‍a smart kitten_[meow] 19:25, 26 July 2025 (UTC)Reply

Hm... You may have a point there :) Anyway, right now we also have Manual:Security which is a very good article for the most part except for the bloated "See also" section. OTOH Security would be empty if you remove the list of subpages, move the bottom two sections to the template I just added and remove the redundancies in the remaining text. It should probably remain as a landing page but it needs more content. Tactica (talk) 19:57, 26 July 2025 (UTC)Reply

Sometimes, I find a bug and I don't really know if it should be considered as a security issue or not. It would be useful to have some criteria on this page.

To give examples: I didn't report phab:T33656, phab:T45137, phab:T102063 and phab:T150796 as security bugs. The last one was marked marked as a security bug afterwards. Should I have reported the others as such?

Of course, I could just mark bugs as security when I'm not sure and let the security team decide. But the resources to fix those issues seem limited (since only a small number of people can see them), so I don't want to needlessly do it.

Orlodrim (talk) 22:05, 23 May 2019 (UTC)Reply

It would probably make sense to add some additional language in this section for Gitlab and Github, since some Wikimedia code canonically lives under those git front-ends now. It likely makes sense to have a less strict policy for many of those repos. Maybe for things that aren't part of the bundled/core security release or services and code which are not deployed to Wikimedia production, we should advise contacting a project maintainer when a security PR/MR/change-set is about to be posted publicly? SBassett (WMF) (talk) 21:21, 10 October 2024 (UTC)Reply

Can anyone clarify what a SOP is, please? Tactica (talk) 05:06, 26 July 2025 (UTC)Reply

Standard operating procedure, I believe. ‍—‍a smart kitten_[meow] 06:23, 26 July 2025 (UTC)Reply

Thanks. I just found Security/SOP which confirms that. Tactica (talk) 14:45, 26 July 2025 (UTC)Reply