Details

Reporting a vulnerability

To report a vulnerability in MediaWiki, please email [email protected] or open a bug in Phabricator by setting the Security dropdown to "Software security bug" in the "Create New Task" dialog. Such reports will not be publicly visible. Currently, there is no budget for security reports. This means no bounties are paid by Wikimedia Foundation for discovering security bugs on these projects, either in money or in merchandise."

Please include in your report

When you report a security vulnerability in MediaWiki, please provide:

Step-by-step instructions to reproduce the issue, or proof-of-concept code demonstrating the issue
If the vulnerability can be reproduced on a WMF wiki, please indicate which wiki, as site configurations vary
Please indicate if you are logged in or logged out when the issue occurs
For XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using

If you report the vulnerability by email to [email protected], let us know if you have a Wikimedia Phabricator account, and we will add you to the bug we create so you can track the status.

Patches

If you would like to provide a patch for a security bug, please add it as an attachment to the Phabricator task. You can either drag-and-drop the patch into the comment area, or include a diff of the patch as a comment. Please do not add it as a patchset in gerrit. All gerrit patchsets (including "drafts") are publicly accessible.

What happens when I report a bug

When you report a security flaw in MediaWiki, we will:

Attempt to reproduce the issue, and assign a priority to the bug based on its impact.
A patch will be added in Phabricator, and another person will review it.
- The patch should contain regression tests, whenever possible.
The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.
The patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.
Unless you explicitly indicate that certain information shouldn't be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement.

Tracking

When possible during the remediation process, the security bugs should have comments that include:

Step-by-step instructions to reproduce the issue (if not included in the initial report)
The commit or commits that introduced the bug
Link to the gerrit commit fixing the bug
OWASP vulnerability category (using OWASP's top 10-2013), or CWE id
CVE if assigned

Reporting a vulnerability

Please include in your report

When you report a security vulnerability in MediaWiki, please provide:

Step-by-step instructions to reproduce the issue, or proof-of-concept code demonstrating the issue

If the vulnerability can be reproduced on a WMF wiki, please indicate which wiki, as site configurations vary

Please indicate if you are logged in or logged out when the issue occurs

For XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using

If you report the vulnerability by email to [email protected], let us know if you have a Wikimedia Phabricator account, and we will add you to the bug we create so you can track the status.

Patches

What happens when I report a bug

When you report a security flaw in MediaWiki, we will:

Attempt to reproduce the issue, and assign a priority to the bug based on its impact.

A patch will be added in Phabricator, and another person will review it.

The patch should contain regression tests, whenever possible.

The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.

The patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.

Unless you explicitly indicate that certain information shouldn't be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement.

Tracking

When possible during the remediation process, the security bugs should have comments that include:

Step-by-step instructions to reproduce the issue (if not included in the initial report)

The commit or commits that introduced the bug

Link to the gerrit commit fixing the bug

OWASP vulnerability category (using OWASP's top 10-2013), or CWE id

CVE if assigned