Security/Phabricator Security Tags

The current structure of security tags in Phabricator has become outdated, no longer accurately reflecting the evolving attack scenarios relevant to the Wikimedia Foundation ecosystem. This misalignment creates challenges in effectively categorizing and triaging security tasks, leading to inefficiencies in addressing potential vulnerabilities and threats.

Our goal is to redesign the security tag system to better align with modern attack vectors and the WMF’s operational needs. By creating a streamlined, intuitive, and up-to-date tagging structure, we aim to make the triaging of security tasks more efficient and immediate, ensuring quicker response times and a more robust security posture for the WMF ecosystem.

Current issues with the existing security tags:

Obsolescence of some tags.

Lack of alignment with current attack scenarios.

Confusion or inefficiency during task triaging.

Impact of these issues on security task management.

A list of the current tags and their issues.

Proposed Structure.

Category 1 and category 2 rationale.

Task Triaging Scenarios: how the new tags improve task categorization and prioritization.

Why new design allows to track also security remediation tasks and implementations in Phab vs only vulnerabilities.