Wikimedia Security Team/Documentation

From MediaWiki.org
Jump to navigation Jump to search

This page explains how the Wikimedia Security Team is organizing its documentation.

To report security bugs, vulnerabilities or other issues please follow our process.

Introduction[edit]

Security is a broad topic across the Wikimedia Foundation and the wider community.

Contexts when we talk about Security include (but are not limited to):

  • Training materials published by community members for the wider world
  • Training materials for WMF staff
  • Training materials for Mediawiki developers
  • Information about the Wikimedia Foundation Security Team
  • Information about Wikimedia Foundation Security Policy
  • Details about Mediawiki as a project
  • Standard Operating Procedures (SOPs) for reporting issues
  • Procedural guides for implementation of features or extensions
  • Governance issues
  • Compliance issues
  • Risk management frameworks
  • ...

These areas can also have different practical outcomes for different projects and communities, and so there is a lot to digest and sort through to find out about any particular topic. Because of this complexity, the Wikimedia Security team is adopting a few strategies to maintain the spaces in which it curates documentation. The scope is only pages which the Wikimedia Security team is committed to maintaining in service to other teams and communities.

Goals for this documentation strategy[edit]

  • Improve discoverability through consistency in structure
  • Improve consistency through documenting the intended structure and expectations (this page, among others)
  • Improve quality through active curation
  • Improve transparency by continually examining the need for confidentiality where it exists

Projects where this strategy is being employed[edit]

Project Use by Wikimedia Security Team
mediawiki.org General content for Policy, SOP, etc. Team landing page.
meta.wikimedia.org Policy and other content for translation.
office.wikimedia.org Sensitive or private content
foundation.wikimedia.org Canonical location for Policy
wikitech.wikimedia.org Procedural or instructional material that is not training

Use of a predictable landing page in /wiki/Security[edit]

On the applicable projects we plan to use /wiki/Security as a common landing page. These pages will be interlinked between projects, and will strive to function as a funnel for the user to the appropriate content. The intention is that this common entry point will allow us to structure other content around it, and as subpages under it.

Curation guiding principles[edit]

Pages that relate to the Wikimedia Security team can sometimes have unusual or distinct best practices:

  • Sometimes stale content is worse than no content as, even in the case of draft of other notices, users will acquire a false sense of safety. In these cases, completely stagnant pages for which there is no maintained current alternative may be best redirected to the landing page of /wiki/Security, or in the case of team oriented documentation to the team's landing page.
  • Use of subpages for discovery under /wiki/Security is encouraged if consistent
  • Office.wikimedia.org should only be used for confidential content which is not public. Other pages, even if informal, should live on mediawiki.org
  • Use of page moving as process for content maturity development is encouraged if consistent and documented. Example for Policy creation: /wiki/Security/Policy/Draft/Foo (initial wording) => /wiki/Security/Policy/Candidates/Foo (soliciting feedback) => /wiki/Security/Policy/Foo (as a redirect to version for translation on meta once approved).
  • Define an official process and a single page for reporting security issues. This should be referenced (at a minimum) on every /wiki/Security landing page.

Cross-wiki Path Conventions[edit]

/wiki Purpose
/Security Main landing page
/Security/SOP Procedures and processes for Security and Governance
/Security/SOP/Draft SOP drafts landing page
/Security/Policy Policy landing page
/Security/Policy/Candidates Needed policy ideas and notes
/Security/Policy/Draft Policy drafts landing page
/Security/Policy/Abandoned Policy that does not pass solicitation phase
/Security/Training Training materials for a variety of audiences
/Security/Training Training materials for a variety of audiences
/Wikimedia_Security_Team If applicable, team page for specific projects. Usually a redirect to Wikimedia Security Team
/Wikimedia_Security_Team/WIP Immature team materials and work product
/Wikimedia_Security_Team/Onboarding Onboarding workflows and landing page (kept on Officewiki)
/Wikimedia_Security_Team/Onboarding/<user> Onboarding user pages and notes (kept on officewiki)

Categories in Use[edit]

wikimedia security team Security

Expectations for members of the Security Team[edit]

  • If you are creating new Policy or SOP then create a page either on mediawiki.org (to work on it in public) or office.wikimedia.org (to work in semi-private).
  • Please watch the pages for the wikimedia security team category so that we can help maintain them and deal with vandalism as a team.
  • Update this page as needed for clarity and current practice