Security/SOP/Access to Phabricator Security Issues
SOP Name: WIKISEC-PHABSECACCESS-SOP
SOP Description: Process to gain access to sensitive and nonpublic issues in Phabricator
Authority: Director of Security
Review Required by: 2/28/2020
Author(s): Wikimedia Security Team
Data Classification: Public
Access to view and edit private Security issues in Phabricator by default is limited, and granted on an as-needed basis at the discretion of the Wikimedia Security Team. Access to individual tasks related to a particular issue or incident does not, by itself, constitute the need for access to all Security issues.
- Create a Phabricator account
- Sign a volunteer non-disclosure agreement or a WMF employee non-disclosure agreement. If you're already a working WMF employee, you have likely already signed an NDA as part of your Terms of Employment and can skip this. Real names are required at this step for NDA/Legal purposes, but are only visible to required personnel.
- Set up Two-Factor Authentication for your Phabricator account under Settings → Authentication → Multi-Factor Auth.
- If you are a WMF employee then link your Staff SUL account that ends in (WMF) to your Phabricator account. This should be created for you during the onboarding process by OIT.
- Submit an access request, supplying your Phabricator username, and the reason(s) you need access to private Security issues in Wikimedia Phabricator. Do not include private information in the access request.
Requests are reviewed on a weekly basis in the Security Team meeting, which is usually on Tuesday of each week.
Phabricator: Bug/Task tracking software used by Wikimedia Foundation and community