Wikimedia Security Team/Prioritization of bugs
This page is currently a draft.
More information and discussion about changes to this draft may be on the discussion page.
The Security Team will generally set the priority of new security bugs based on the anticipated risk (combination of both impact and likelihood of exploitation). When assessing the impact, we try to account for both WMF-managed sites and other users of MediaWiki.
- Command Injection
- SQL Injection
- Publicly exposing IP of Editors
- Publicly exposing suppressed data
- Gaining additional, arbitrary user rights
Issues that affect the security of the application. "Critical" impact issues in extensions that are not installed on WMF wikis, or "Normal" impact issues that are being actively exploited.
- Impersonating another user
- Exploitable XSS
- CSRF (gaining access to a users anti-csrf token, or CSRF in a sensitive function)
- Site DoS
- CSRF in non-sensitive functionality
- XSS with significant restriction on characters / length
- XSS in browsers used by < 10% of our users
- Failure in anti-spam countermeasures
- Failure in anti-vandalism countermeasures
- Vulnerabilities that require a second vulnerability in order to carry out
- XSS on non-WMF-project domain
- Missing hardening