CINXE.COM

Reporting security bugs - MediaWiki

<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-disabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Reporting security bugs - MediaWiki</title> <script>(function(){var className="client-js vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-disabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )mediawikiwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""], "wgDefaultDateFormat":"dmy","wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"1aa6a44b-0b6c-4e17-9116-05d79702e85a","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Reporting_security_bugs","wgTitle":"Reporting security bugs","wgCurRevisionId":6793478,"wgRevisionId":6793478,"wgArticleId":266304,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["Wikimedia Security Team","Security"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Reporting_security_bugs","wgRelevantArticleId":266304,"wgIsProbablyEditable":false,"wgRelevantPageIsProbablyEditable":false,"wgRestrictionEdit":["autoconfirmed"],"wgRestrictionMove":["sysop"],"wgNoticeProject":"mediawiki","wgCiteReferencePreviewsActive":true,"wgMediaViewerOnClick":true, "wgMediaViewerEnabledByDefault":true,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":9000,"wgTranslatePageTranslation":"source","wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgDiscussionToolsFeaturesEnabled":{"replytool":true,"newtopictool":true,"sourcemodetoolbar":true,"topicsubscription":false,"autotopicsub":false,"visualenhancements":false,"visualenhancements_reply":false,"visualenhancements_pageframe":false},"wgDiscussionToolsFallbackEditMode":"visual","wgULSPosition":"personal","wgULSisCompactLinksEnabled":true,"wgVector2022LanguageInHeader":false,"wgULSisLanguageSelectorEmpty":false,"wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"]};RLSTATE={ "ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.translate.tag.languages":"ready","ext.discussionTools.init.styles":"ready","oojs-ui-core.styles":"ready","oojs-ui.styles.indicators":"ready","mediawiki.widgets.styles":"ready","oojs-ui-core.icons":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","ext.translate.edit.documentation.styles":"ready","ext.translate":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.pt":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["site","mediawiki.page.ready","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.translate.pagetranslation.uls","ext.urlShortener.toolbar","ext.centralauth.centralautologin","ext.visualEditor.desktopArticleTarget.init", "ext.visualEditor.targetLoader","ext.echo.centralauth","ext.discussionTools.init","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.compactlinks","ext.uls.interface","ext.checkUser.clientHints"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=ext.discussionTools.init.styles%7Cext.translate%2CwikimediaBadges%7Cext.translate.edit.documentation.styles%7Cext.translate.tag.languages%7Cext.uls.pt%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediamessages.styles%7Cmediawiki.widgets.styles%7Coojs-ui-core.icons%2Cstyles%7Coojs-ui.styles.indicators%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&amp;only=styles&amp;skin=vector-2022"> <script async="" src="/w/load.php?lang=en&amp;modules=startup&amp;only=scripts&amp;raw=1&amp;skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&amp;modules=site.styles&amp;only=styles&amp;skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:site_name" content="MediaWiki"> <meta property="og:title" content="Reporting security bugs - MediaWiki"> <meta property="og:type" content="website"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//m.mediawiki.org/wiki/Reporting_security_bugs"> <link rel="apple-touch-icon" href="/static/apple-touch/mediawiki.png"> <link rel="icon" href="/static/favicon/mediawiki.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="MediaWiki (en)"> <link rel="EditURI" type="application/rsd+xml" href="//www.mediawiki.org/w/api.php?action=rsd"> <link rel="canonical" href="https://www.mediawiki.org/wiki/Reporting_security_bugs"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/"> <link rel="alternate" type="application/atom+xml" title="MediaWiki Atom feed" href="/w/index.php?title=Special:RecentChanges&amp;feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="ext-discussiontools-replytool-enabled ext-discussiontools-newtopictool-enabled ext-discussiontools-sourcemodetoolbar-enabled skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-Reporting_security_bugs rootpage-Reporting_security_bugs skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/MediaWiki" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-mw-download" class="mw-list-item"><a href="/wiki/Download"><span>Get MediaWiki</span></a></li><li id="n-mw-extensions" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Category:Extensions"><span>Get extensions</span></a></li><li id="n-blog-text" class="mw-list-item"><a href="https://techblog.wikimedia.org/"><span>Tech blog</span></a></li><li id="n-mw-contribute" class="mw-list-item"><a href="/wiki/Special:MyLanguage/How_to_contribute"><span>Contribute</span></a></li> </ul> </div> </div> <div id="p-support" class="vector-menu mw-portlet mw-portlet-support" > <div class="vector-menu-heading"> Support </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Help:Contents" title="The place to find out"><span>User help</span></a></li><li id="n-mw-faq" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Manual:FAQ"><span>FAQ</span></a></li><li id="n-mw-manual" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Manual:Contents"><span>Technical manual</span></a></li><li id="n-mw-supportdesk" class="mw-list-item"><a href="/wiki/Project:Support_desk"><span>Support desk</span></a></li><li id="n-mw-communication" class="mw-list-item"><a href="/wiki/Special:MyLanguage/Communication"><span>Communication</span></a></li> </ul> </div> </div> <div id="p-development" class="vector-menu mw-portlet mw-portlet-development" > <div class="vector-menu-heading"> Development </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mw-developerportal" class="mw-list-item"><a href="https://developer.wikimedia.org/"><span>Developer portal</span></a></li><li id="n-svn-statistics" class="mw-list-item"><a href="/wiki/Development_statistics"><span>Code statistics</span></a></li> </ul> </div> </div> <div id="p-mediawiki.org" class="vector-menu mw-portlet mw-portlet-mediawiki_org" > <div class="vector-menu-heading"> mediawiki.org </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-portal" class="mw-list-item"><a href="/wiki/Project:Help" title="About the project, what you can do, where to find things"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes in the wiki [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-mw-translate" class="mw-list-item"><a href="/wiki/Special:LanguageStats"><span>Translate content</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Load a random page [x]" accesskey="x"><span>Random page</span></a></li><li id="n-mw-discussion" class="mw-list-item"><a href="/wiki/Project:Village_Pump"><span>Village pump</span></a></li><li id="n-Sandboxlink-portlet-label" class="mw-list-item"><a href="/wiki/Project:Sandbox"><span>Sandbox</span></a></li> </ul> </div> </div> <div id="p-lang" class="vector-menu mw-portlet mw-portlet-lang" > <div class="vector-menu-heading"> In other languages </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-add wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:NewItem?site=mediawikiwiki&amp;page=Reporting+security+bugs" title="Add interlanguage links" class="wbc-editpage">Add links</a></span></div> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/MediaWiki" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/mediawikiwiki.svg" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="MediaWiki" src="/static/images/mobile/copyright/mediawikiwiki-wordmark.svg" style="width: 7.5em; height: 1.125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search MediaWiki [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search MediaWiki" aria-label="Search MediaWiki" autocapitalize="sentences" title="Search MediaWiki [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-uls" class="mw-list-item active user-links-collapsible-item"><a data-mw="interface" href="#" class="uls-trigger cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet"><span class="vector-icon mw-ui-icon-wikimedia-language mw-ui-icon-wikimedia-wikimedia-language"></span> <span>English</span></a> </li> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page&#039;s font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/?utm_source=donate&amp;utm_medium=sidebar&amp;utm_campaign=spontaneous&amp;uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&amp;returnto=Reporting+security+bugs" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&amp;returnto=Reporting+security+bugs" title="You are encouraged to log in; however, it is not mandatory [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="More options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/?utm_source=donate&amp;utm_medium=sidebar&amp;utm_campaign=spontaneous&amp;uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&amp;returnto=Reporting+security+bugs" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&amp;returnto=Reporting+security+bugs" title="You are encouraged to log in; however, it is not mandatory [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"><!-- CentralNotice --></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">Beginning</div> </a> </li> <li id="toc-What_is_considered_a_security_issue" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#What_is_considered_a_security_issue"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>What is considered a security issue</span> </div> </a> <ul id="toc-What_is_considered_a_security_issue-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Reporting_a_security_issue" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Reporting_a_security_issue"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Reporting a security issue</span> </div> </a> <ul id="toc-Reporting_a_security_issue-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-What_to_include_in_a_security_issue_report" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#What_to_include_in_a_security_issue_report"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>What to include in a security issue report</span> </div> </a> <ul id="toc-What_to_include_in_a_security_issue_report-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-What_happens_when_security_issues_are_reported" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#What_happens_when_security_issues_are_reported"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>What happens when security issues are reported</span> </div> </a> <ul id="toc-What_happens_when_security_issues_are_reported-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Crediting_reporters" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Crediting_reporters"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Crediting reporters</span> </div> </a> <ul id="toc-Crediting_reporters-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Tracking_report_remediation" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Tracking_report_remediation"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Tracking report remediation</span> </div> </a> <ul id="toc-Tracking_report_remediation-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Contributing_patches" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Contributing_patches"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>Contributing patches</span> </div> </a> <ul id="toc-Contributing_patches-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Related_security_content" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Related_security_content"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>Related security content</span> </div> </a> <ul id="toc-Related_security_content-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Reporting security bugs</span></h1> <div class="mw-indicators"> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Reporting_security_bugs" title="View the content page [c]" accesskey="c"><span>Page</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Reporting_security_bugs" rel="discussion" title="Discussion about the content page [t]" accesskey="t"><span>Discussion</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Reporting_security_bugs"><span>Read</span></a></li><li id="ca-viewsource" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;action=edit" title="This page is protected.&#10;You can view its source [e]" accesskey="e"><span>View source</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Reporting_security_bugs"><span>Read</span></a></li><li id="ca-more-viewsource" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;action=edit"><span>View source</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Reporting_security_bugs" title="A list of all wiki pages that link here [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Reporting_security_bugs" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="//commons.wikimedia.org/wiki/Special:UploadWizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;oldid=6793478" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&amp;page=Reporting_security_bugs&amp;id=6793478&amp;wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&amp;url=https%3A%2F%2Fwww.mediawiki.org%2Fwiki%2FReporting_security_bugs"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&amp;url=https%3A%2F%2Fwww.mediawiki.org%2Fwiki%2FReporting_security_bugs"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-create_a_book" class="mw-list-item"><a href="/w/index.php?title=Special:Book&amp;bookcmd=book_creator&amp;referer=Reporting+security+bugs"><span>Create a book</span></a></li><li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&amp;page=Reporting_security_bugs&amp;action=show-download-screen"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Reporting_security_bugs&amp;printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects emptyPortlet" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div id="siteSub" class="noprint">From mediawiki.org</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-pt-translate-header noprint nomobile" dir="ltr" lang="en"><a href="/w/index.php?title=Special:Translate&amp;group=page-Reporting+security+bugs&amp;action=page&amp;filter=&amp;action_source=translate_page" title="Special:Translate">Translate this page</a></div><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="mw-pt-languages noprint navigation-not-searchable" lang="en" dir="ltr"><div class="mw-pt-languages-label">Languages:</div><ul class="mw-pt-languages-list"><li><a href="/wiki/Reporting_security_bugs/id" class="mw-pt-progress mw-pt-progress--med" title="Melaporkan kutu keamanan (22% translated)" lang="id" dir="ltr">Bahasa Indonesia</a></li> <li><a href="/wiki/Reporting_security_bugs/en-gb" class="mw-pt-progress mw-pt-progress--low" title="Reporting security bugs/en-gb (3% translated)" lang="en-GB" dir="ltr">British English</a></li> <li><a href="/wiki/Reporting_security_bugs/de" class="mw-pt-progress mw-pt-progress--complete" title="Sicherheitsfehler melden (100% translated)" lang="de" dir="ltr">Deutsch</a></li> <li><span class="mw-pt-languages-ui mw-pt-languages-selected mw-pt-progress mw-pt-progress--complete" lang="en" dir="ltr">English</span></li> <li><a href="/wiki/Reporting_security_bugs/lb" class="mw-pt-progress mw-pt-progress--low" title="Reporting security bugs/lb (2% translated)" lang="lb" dir="ltr">Lëtzebuergesch</a></li> <li><a href="/wiki/Reporting_security_bugs/nl" class="mw-pt-progress mw-pt-progress--complete" title="Beveiligingsproblemen melden (100% translated)" lang="nl" dir="ltr">Nederlands</a></li> <li><a href="/wiki/Reporting_security_bugs/tr" class="mw-pt-progress mw-pt-progress--low" title="Reporting security bugs/tr (8% translated)" lang="tr" dir="ltr">Türkçe</a></li> <li><a href="/wiki/Reporting_security_bugs/diq" class="mw-pt-progress mw-pt-progress--low" title="Reporting security bugs/diq (2% translated)" lang="diq" dir="ltr">Zazaki</a></li> <li><a href="/wiki/Reporting_security_bugs/br" class="mw-pt-progress mw-pt-progress--low" title="Reporting security bugs/br (2% translated)" lang="br" dir="ltr">brezhoneg</a></li> <li><a href="/wiki/Reporting_security_bugs/es" class="mw-pt-progress mw-pt-progress--high" title="Informar errores de seguridad (98% translated)" lang="es" dir="ltr">español</a></li> <li><a href="/wiki/Reporting_security_bugs/fr" class="mw-pt-progress mw-pt-progress--complete" title="Rapporter des bogues de sécurité (100% translated)" lang="fr" dir="ltr">français</a></li> <li><a href="/wiki/Reporting_security_bugs/it" class="mw-pt-progress mw-pt-progress--complete" title="Segnalazione problemi di sicurezza (100% translated)" lang="it" dir="ltr">italiano</a></li> <li><a href="/wiki/Reporting_security_bugs/hu" class="mw-pt-progress mw-pt-progress--med" title="Biztonsági hibák bejelentése (42% translated)" lang="hu" dir="ltr">magyar</a></li> <li><a href="/wiki/Reporting_security_bugs/pt" class="mw-pt-progress mw-pt-progress--low" title="Relatando bugs de segurança (2% translated)" lang="pt" dir="ltr">português</a></li> <li><a href="/wiki/Reporting_security_bugs/pt-br" class="mw-pt-progress mw-pt-progress--high" title="Relatando bugs de segurança (98% translated)" lang="pt-BR" dir="ltr">português do Brasil</a></li> <li><a href="/wiki/Reporting_security_bugs/cs" class="mw-pt-progress mw-pt-progress--complete" title="Hlášení bezpečnostních chyb (100% translated)" lang="cs" dir="ltr">čeština</a></li> <li><a href="/wiki/Reporting_security_bugs/ru" class="mw-pt-progress mw-pt-progress--med" title="Сообщение об ошибках в системе безопасности (17% translated)" lang="ru" dir="ltr">русский</a></li> <li><a href="/wiki/Reporting_security_bugs/ur" class="mw-pt-progress mw-pt-progress--low" title="امان کے बग्स رپورٹ کرنا (8% translated)" lang="ur" dir="rtl">اردو</a></li> <li><a href="/wiki/Reporting_security_bugs/ar" class="mw-pt-progress mw-pt-progress--complete" title="الإبلاغ عن المشاكل الأمنية (100% translated)" lang="ar" dir="rtl">العربية</a></li> <li><a href="/wiki/Reporting_security_bugs/hi" class="mw-pt-progress mw-pt-progress--high" title="सुरक्षा के बग्स रिपोर्ट करना (97% translated)" lang="hi" dir="ltr">हिन्दी</a></li> <li><a href="/wiki/Reporting_security_bugs/bn" class="mw-pt-progress mw-pt-progress--low" title="নিরাপত্তা বাগ প্রতিবেদন (5% translated)" lang="bn" dir="ltr">বাংলা</a></li> <li><a href="/wiki/Reporting_security_bugs/th" class="mw-pt-progress mw-pt-progress--low" title="การแจ้งความผิดพลาดความปลอดภัย (2% translated)" lang="th" dir="ltr">ไทย</a></li> <li><a href="/wiki/Reporting_security_bugs/zh" class="mw-pt-progress mw-pt-progress--complete" title="报告安全问题 (100% translated)" lang="zh" dir="ltr">中文</a></li> <li><a href="/wiki/Reporting_security_bugs/ja" class="mw-pt-progress mw-pt-progress--low" title="セキュリティバグの報告 (3% translated)" lang="ja" dir="ltr">日本語</a></li> <li><a href="/wiki/Reporting_security_bugs/ko" class="mw-pt-progress mw-pt-progress--low" title="Reporting security bugs/ko (2% translated)" lang="ko" dir="ltr">한국어</a></li></ul></div> <p>This is the process for reporting security issues in software and services maintained or operated by Wikimedia Foundation. This includes MediaWiki and <a class="external text" href="https://www.wikimedia.org/">Wikimedia projects</a> such as Wikipedia. </p><p>We support <a href="https://en.wikipedia.org/wiki/coordinated_vulnerability_disclosure" class="extiw" title="en:coordinated vulnerability disclosure">responsible disclosure</a> and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance. </p> <meta property="mw:PageProp/toc"/> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="What_is_considered_a_security_issue" data-mw-thread-id="h-What_is_considered_a_security_issue"><span data-mw-comment-start="" id="h-What_is_considered_a_security_issue"></span>What is considered a security issue<span data-mw-comment-end="h-What_is_considered_a_security_issue"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_is_considered_a_security_issue","replies":[]}}--></div> <p>This is a general outline and not an exhaustive listing of the scope of this process. </p> <ul><li>Issues that affect the availability of one of more services that are part of the Wikimedia ecosystem, but in particular when this is the result of a hostile set of actions or campaign.</li> <li>When the integrity of data hosted by the Wikimedia Foundation or affiliated entities is at risk of being corrupted, tampered with, or otherwise modified in an unauthorized manner.</li> <li>When the confidentiality of data owned by the Wikimedia Foundation or its affiliated entities is compromised, such that information meant to be restricted or private is leaked, revealed, stolen, or exfiltrated in an unauthorized manner.</li></ul> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Reporting_a_security_issue" data-mw-thread-id="h-Reporting_a_security_issue"><span data-mw-comment-start="" id="h-Reporting_a_security_issue"></span>Reporting a security issue<span data-mw-comment-end="h-Reporting_a_security_issue"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Reporting_a_security_issue","replies":[]}}--></div> <p>To report an issue, email <b><a rel="nofollow" class="external text" href="mailto:security@wikimedia.org">security@wikimedia.org</a></b> or use the <a href="https://phabricator.wikimedia.org/maniphest/task/edit/form/75/" class="extiw" title="phab:maniphest/task/edit/form/75/">Report Security Issue</a> form on <a href="/wiki/Special:MyLanguage/Phabricator" title="Special:MyLanguage/Phabricator">Phabricator</a>. </p><p>Such reports will not be publicly visible at the time of reporting. See below for further process once issues are resolved. </p> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="What_to_include_in_a_security_issue_report" data-mw-thread-id="h-What_to_include_in_a_security_issue_report"><span data-mw-comment-start="" id="h-What_to_include_in_a_security_issue_report"></span>What to include in a security issue report<span data-mw-comment-end="h-What_to_include_in_a_security_issue_report"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_to_include_in_a_security_issue_report","replies":[]}}--></div> <ul><li>Step-by-step instructions to reproduce the issue</li> <li>If possible, <a href="https://en.wikipedia.org/wiki/Proof_of_concept" class="extiw" title="w:Proof of concept">proof-of-concept</a> code demonstrating the issue is a best practice</li> <li>If the vulnerability can be reproduced on a Wikimedia project (such as Wikipedia or Wiktionary) please indicate which as site configurations vary</li> <li>If applicable, indicate if you are logged in or logged out when the issue occurs</li> <li>For <a href="https://en.wikipedia.org/wiki/Cross-site_scripting" class="extiw" title="w:Cross-site scripting">XSS</a> or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using. The specific version of any software used will be helpful.</li> <li><a href="https://en.wikipedia.org/wiki/OWASP" class="extiw" title="w:OWASP">OWASP</a> vulnerability category (using <a rel="nofollow" class="external text" href="https://owasp.org/www-project-top-ten/">OWASP Top 10 for 2017</a>), or <a href="https://en.wikipedia.org/wiki/Common_Weakness_Enumeration" class="extiw" title="w:Common Weakness Enumeration">CWE</a> id (using <a rel="nofollow" class="external text" href="https://cwe.mitre.org/data/definitions/1000.html">CWE By Research Concepts</a>)</li> <li><a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures" class="extiw" title="w:Common Vulnerabilities and Exposures">CVE</a> if assigned (using the <a rel="nofollow" class="external text" href="https://nvd.nist.gov/vuln/search">NIST CVE database</a>)</li> <li>Any other information needed to investigate and reproduce the issue</li></ul> <p>If you report the vulnerability by email to <b><a rel="nofollow" class="external text" href="mailto:security@wikimedia.org">security@wikimedia.org</a></b>, let us know if you have a <a href="https://phabricator.wikimedia.org/" class="extiw" title="phab:">Wikimedia Phabricator</a> account as we will add you to the bug we create, so you can track the status. </p><p>Phabricator accounts can be <a href="/wiki/Special:MyLanguage/Phabricator/Help#Creating_your_account" title="Special:MyLanguage/Phabricator/Help">created</a> using an existing <a href="https://meta.wikimedia.org/wiki/Special:MyLanguage/Help:Unified_login" class="extiw" title="m:Special:MyLanguage/Help:Unified login">SUL Wiki account</a>. </p> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="What_happens_when_security_issues_are_reported" data-mw-thread-id="h-What_happens_when_security_issues_are_reported"><span data-mw-comment-start="" id="h-What_happens_when_security_issues_are_reported"></span>What happens when security issues are reported<span data-mw-comment-end="h-What_happens_when_security_issues_are_reported"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_happens_when_security_issues_are_reported","replies":[]}}--></div> <p>We will: </p> <ul><li>Determine whether we consider it to be a security issue</li> <li>Attempt to reproduce the issue, and assign a priority to the bug based on its impact.</li> <li>A patch will be added in Phabricator, and another person will review it. <ul><li>The patch should contain regression tests, whenever possible.</li></ul></li> <li>The patch will be deployed on the Wikimedia cluster, and access to the patch will be given to a few trusted partners and distributors.<sup class="Template-Fact" style="white-space:nowrap;">[<i><a href="https://en.wikipedia.org/wiki/Citation_needed" class="extiw" title="wikipedia:Citation needed"><span title="This claim needs references to reliable sources.">citation needed</span></a></i>]</sup></li> <li>If applicable, the patch will be included in the next release of MediaWiki. If the impact of the vulnerability is especially bad, or we have indication that it is being actively exploited, we will make a special security release of MediaWiki to ensure third parties are protected.</li> <li>Unless you explicitly indicate that certain information must not be published, we will make the Phabricator ticket public when the fix is released, and credit you in the release announcement. If you report the issue via email to <a rel="nofollow" class="external text" href="mailto:security@wikimedia.org">security@wikimedia.org</a> the email itself may be publicly released. This may include your email address and signature unless you request otherwise. The Phabricator tag <a class="external text" href="https://phabricator.wikimedia.org/project/view/3825/">PermanentlyPrivate</a> will ensure reports are kept confidential in perpetuity.</li> <li>Determine if a <a href="https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures" class="extiw" title="w:Common Vulnerabilities and Exposures">CVE record</a> needs to be published if it was not included in the original report</li></ul> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Crediting_reporters" data-mw-thread-id="h-Crediting_reporters"><span data-mw-comment-start="" id="h-Crediting_reporters"></span>Crediting reporters<span data-mw-comment-end="h-Crediting_reporters"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Crediting_reporters","replies":[]}}--></div> <ul><li>Credit will be given to the reporter in the commit message fixing the issue</li> <li>Credit will be given to the reporter in the official announcement email going to the <a href="https://lists.wikimedia.org/pipermail/mediawiki-announce/" class="extiw" title="mailarchive:mediawiki-announce/">MediaWiki-announce</a> mailing lists</li> <li>Credit will be given on <a href="/wiki/Wikimedia_Security_Team/Thanks" title="Wikimedia Security Team/Thanks">Wikimedia Security Team/Thanks</a> for vulnerabilities in MediaWiki core or a bundled library, skin, or extension.</li> <li>Currently, there is no budget for security reports. This means <b>no bounties are paid</b> by Wikimedia Foundation for discovering security bugs on these projects, either in money or in merchandise.</li></ul> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Tracking_report_remediation" data-mw-thread-id="h-Tracking_report_remediation"><span data-mw-comment-start="" id="h-Tracking_report_remediation"></span>Tracking report remediation<span data-mw-comment-end="h-Tracking_report_remediation"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Tracking_report_remediation","replies":[]}}--></div> <p>When possible during the remediation process, the security bugs should have comments that include: </p> <ul><li>Step-by-step instructions to reproduce further issues</li> <li>Links to the commits that introduced the bug</li> <li>Links to the Gerrit changesets that fixes the bug</li></ul> <p>Reporter access to their own authored reports is standard, but to gain access to security protected issues generally there is a separate <a href="/wiki/Security/SOP/Access_to_Phabricator_Security_Issues" title="Security/SOP/Access to Phabricator Security Issues">process</a> </p> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Contributing_patches" data-mw-thread-id="h-Contributing_patches"><span data-mw-comment-start="" id="h-Contributing_patches"></span>Contributing patches<span data-mw-comment-end="h-Contributing_patches"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Contributing_patches","replies":[]}}--></div> <p>If you would like to provide a patch for a security bug, please add it as an attachment to the <a href="/wiki/Special:MyLanguage/Phabricator" title="Special:MyLanguage/Phabricator">Phabricator</a> task. You can either drag-and-drop the patch into the comment area, or include a diff of the patch as a comment. </p><p>Please <b>do not submit patches to <a href="/wiki/Special:MyLanguage/Gerrit" title="Special:MyLanguage/Gerrit">Gerrit</a></b>. All Gerrit changes (including "drafts") are publicly accessible. </p> <ul><li>See <a href="https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Creating_a_Security_Patch" class="extiw" title="wikitech:How to deploy code">Creating a Security Patch</a> section on wikitech for steps to create these patches, and <a href="https://wikitech.wikimedia.org/wiki/How_to_deploy_code#Security_patches" class="extiw" title="wikitech:How to deploy code">Security patches</a> section for how these patches are deployed.</li></ul> <div class="mw-heading mw-heading2 ext-discussiontools-init-section"><h2 id="Related_security_content" data-mw-thread-id="h-Related_security_content"><span data-mw-comment-start="" id="h-Related_security_content"></span>Related security content<span data-mw-comment-end="h-Related_security_content"></span></h2><!--__DTELLIPSISBUTTON__{"threadItem":{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Related_security_content","replies":[]}}--></div> <table class="wikitable"> <tbody><tr> <th>Project</th> <th>Use by Wikimedia Security Team </th></tr> <tr> <td><a href="/wiki/Special:MyLanguage/Security" title="Special:MyLanguage/Security">mediawiki.org</a><span style="display:none"><a href="/wiki/Security" title="Security"> </a></span></td> <td>General content for Policy, SOPs, etc. <a href="/wiki/Special:MyLanguage/Wikimedia_Security_Team" title="Special:MyLanguage/Wikimedia Security Team">Official Security team page</a><span style="display:none"><a href="/wiki/Wikimedia_Security_Team" title="Wikimedia Security Team"> </a></span>. </td></tr> <tr> <td><a class="external text" href="https://wikitech.wikimedia.org/wiki/Security">wikitech.wikimedia.org</a></td> <td>Procedural or instructional material that is not training. </td></tr> <tr> <td><a href="https://meta.wikimedia.org/wiki/Security" class="extiw" title="m:Security">meta.wikimedia.org</a></td> <td>Policy and other content for translation. </td></tr> <tr> <td><a class="external text" href="https://office.wikimedia.org/wiki/Security">office.wikimedia.org</a></td> <td>Sensitive or private content. Must have an NDA and appropriate access. </td></tr> <tr> <td><a href="https://foundation.wikimedia.org/wiki/Policies" class="extiw" title="foundation:Policies">foundation.wikimedia.org</a></td> <td>Canonical location for policies. </td></tr></tbody></table> <!-- NewPP limit report Parsed by mw‐api‐int.codfw.main‐849f99967d‐9999b Cached time: 20241123062234 Cache expiry: 2592000 Reduced expiry: false Complications: [show‐toc] DiscussionTools time usage: 0.010 seconds CPU time usage: 0.214 seconds Real time usage: 0.300 seconds Preprocessor visited node count: 270/1000000 Post‐expand include size: 1428/2097152 bytes Template argument size: 412/2097152 bytes Highest expansion depth: 11/100 Expensive parser function count: 0/500 Unstrip recursion depth: 0/20 Unstrip post‐expand size: 5036/5000000 bytes Lua time usage: 0.005/10.000 seconds Lua memory usage: 753461/52428800 bytes Number of Wikibase entities loaded: 0/400 --> <!-- Transclusion expansion time report (%,ms,calls,template) 100.00% 41.095 1 -total 59.94% 24.633 2 Template:Ll 39.55% 16.251 1 Template:Citation_needed 36.37% 14.945 4 Template:Translatable 18.90% 7.767 2 Template:Pagelang 6.05% 2.486 1 Template:Fix --> <!-- Saved in parser cache with key mediawikiwiki:pcache:idhash:266304-0!canonical and timestamp 20241123062234 and revision id 6793478. Rendering was triggered because: api-parse --> </div><!--esi <esi:include src="/esitest-fa8a495983347898/content" /> --><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://www.mediawiki.org/w/index.php?title=Reporting_security_bugs&amp;oldid=6793478">https://www.mediawiki.org/w/index.php?title=Reporting_security_bugs&amp;oldid=6793478</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Special:Categories" title="Special:Categories">Categories</a>: <ul><li><a href="/wiki/Category:Wikimedia_Security_Team" title="Category:Wikimedia Security Team">Wikimedia Security Team</a></li><li><a href="/wiki/Category:Security" title="Category:Security">Security</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 10 October 2024, at 23:09.</li> <li id="footer-info-copyright">Text is available under the <a rel="nofollow" class="external text" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en">Creative Commons Attribution-ShareAlike License</a>; additional terms may apply. Text in <a class="external text" href="https://www.mediawiki.org/wiki/Special:MyLanguage/Help:Contents">the Help: namespace</a> is available under the <a rel="nofollow" class="external text" href="https://creativecommons.org/publicdomain/zero/1.0/">Creative Commons CC0 License</a>. By using this site, you agree to the <a class="external text" href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use">Terms of Use</a> and <a class="external text" href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy Policy</a>.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Project:About">About mediawiki.org</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Project:General_disclaimer">Disclaimers</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://www.mediawiki.org/wiki/Special:MyLanguage/Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/www.mediawiki.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//m.mediawiki.org/w/index.php?title=Reporting_security_bugs&amp;mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-67nx9","wgBackendResponseTime":118,"wgDiscussionToolsPageThreads":[{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_is_considered_a_security_issue","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Reporting_a_security_issue","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_to_include_in_a_security_issue_report","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-What_happens_when_security_issues_are_reported","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Crediting_reporters","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Tracking_report_remediation","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Contributing_patches","replies":[]},{"headingLevel":2,"name":"h-","type":"heading","level":0,"id":"h-Related_security_content","replies":[]}],"wgPageParseReport":{"discussiontools":{"limitreport-timeusage":"0.010"},"limitreport":{"cputime":"0.214","walltime":"0.300","ppvisitednodes":{"value":270,"limit":1000000},"postexpandincludesize":{"value":1428,"limit":2097152},"templateargumentsize":{"value":412,"limit":2097152},"expansiondepth":{"value":11,"limit":100},"expensivefunctioncount":{"value":0,"limit":500},"unstrip-depth":{"value":0,"limit":20},"unstrip-size":{"value":5036,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 41.095 1 -total"," 59.94% 24.633 2 Template:Ll"," 39.55% 16.251 1 Template:Citation_needed"," 36.37% 14.945 4 Template:Translatable"," 18.90% 7.767 2 Template:Pagelang"," 6.05% 2.486 1 Template:Fix"]},"scribunto":{"limitreport-timeusage":{"value":"0.005","limit":"10.000"},"limitreport-memusage":{"value":753461,"limit":52428800}},"cachereport":{"origin":"mw-api-int.codfw.main-849f99967d-9999b","timestamp":"20241123062234","ttl":2592000,"transientcontent":false}}});});</script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10