Wikimedia Security Team
Motto: We seek to secure access to and the integrity of free knowledge.
Mission
The security organization exists to serve and guide the community and Foundation by providing security services to inform risk and to cultivate a culture of security.
Team Ideals
These are the expected behaviors for anyone on the WMF Security team:
Trust
For us to be successful folks have to trust us and we need to trust each other.
- We are all in this together and “ teamwork” extends beyond the security team.
- We each have a job to do, and while you may feel your approach is the best, we need to respect each other. Allow others to do their job.
Adaptability
We value self-starters, collaboration, and initiative.
- Solving problems is tricky - don’t be afraid to take a 1st step.
- Perfect is the enemy of good.
Constructive discourse
Is based on active listening, clear documentation, and doesn’t shy away from conflict when appropriate. We aim to be compassionate.
- Behaviors such as being combative, strawdogging, bikeshedding, and fixed thinking do not help forward the solution.
Move on
Strive for improvement, forgive, forget and start new. A single interaction with someone does not define who they are.
Culture of Learning
- Don’t be afraid to push yourself, take on stretch goals.
- Share the knowledge you have, share your successes and your failures.
- Be receptive to learning from others. Nobody knows everything.
- What went well, what didn’t, what should I do next time? Everyday is an opportunity and you will both fail and succeed on a regular basis, adversity is your friend, failures are expected!
- Tell someone! You’re not alone with your failure as soon as you share it
- Don’t let your manager be surprised - let them be your advocate.
Healthy body, mind and team
If you are stressed out, sick or just need a break, feel free to get away from all of this! That doesn’t mean you can ignore your work forever but get out of here for a while and go for a walk, read a book, take a nap, stare at the clouds. We need you but we need you healthy, none of this work is going anywhere and we will survive while you are gone. Part of building trust is being able to be vulnerable so it’s ok to talk about it and from time to time to step away from all this.
- Be sure to follow guidelines and procedures where applicable
Practice gratitude
Be thankful. We have a great team filled with super awesome folks. Don't let negativity chart your or our path forward.
- Make the effort to thank people. Do this publicly when that would be appreciated.
- Speak with your manager if you feel as though additional recognition is warranted.
Please remember you represent the entire team. Patience and civility are requirements for all communications.
Handbook
Our team handbook outlines our commitment to the Foundation and each other, as well as the expectations we have around team processes and norms.
CNA Partnership
The Wikimedia Foundation is an official partner of the CVE program since 2024, which is an international effort to catalog publicly disclosed cybersecurity vulnerabilities. This partnership with the CVE program allows the Security Team to instantly publish common vulnerabilities and exposures (CVE) records that are affecting MediaWiki core, extensions, and skins, along with any other code the Foundation is a steward of.
CVEs are assigned based on the discretion of the Security Team and publicly announced in this gitlab repository. To learn more about our Security Issue reporting process please check out the process. Security issues are also announced quarterly on the mediawiki-announce email list.
The Security team has internal documentation on the Supplemental Release Process.
Contacting Us
- Our Request for Service SOP explains in detail how to request work from the Security Team: Security/SOP/Requests For Service
- For all other questions or if you require assistance in determining your Security needs, email security-helpwikimedia.org
- We are also happy to field general questions in
#talk-to-security
within the WMF's Slack instance.
Work Intake Commitment
Tasks that follow a recognized Flow will be at a minimum discussed by the Security Team during our weekly clinic meeting. The Security Team is a limited component within Wikimedia Foundation, and tasks that cannot be resourced or are not part of the team charter will be left with the general #security project attached.
Team
-
Cleo Lemoisson
-
Aranya Prum