Security/Wikimedia Risk Calculator

This documentation details the Wikimedia Risk Calculator, designed for assessing and categorizing security issues. The tool provides clear guidelines to assign precise risk scores, aiming to streamline the triage, escalation, and response to security tasks.

The Risk Calculator Tool, based on the Stakeholder-Specific Vulnerability Categorization (SSVC) system developed by Carnegie Mellon University's Software Engineering Institute (SEI) in collaboration with the Cybersecurity Infrastructure Security Agency (CISA), provides a comprehensive methodology for vulnerability analysis. The SSVC system was created to account for a vulnerability's exploitation status, impacts on safety, and the prevalence of the affected product within a single framework.

This tool is particularly suited to our organization as it offers a more objective and verifiable approach to vulnerability triage compared to the CVSS. Unlike CVSS, SSVC incorporates essential safety metrics, addressing a critical priority for our operations. The SSVC scoring process is designed to be streamlined and user-friendly, utilizing a structured tree format that guides analysts through various options, ultimately dictating the necessary remediation timespan for vulnerabilities. This process determines whether vulnerabilities should be tracked if less impactful or addressed immediately if posing a higher risk.

Additionally, the results generated by the SSVC can be further customized by involving other teams perspective. This involvement ensures a deeper understanding of our wiki users' specific needs, human factor concerns, and mission impact, providing the Wikimedia Foundation with an invaluable asset for improving the triaging process.

This paragraph establishes the unique set of criteria that form the basis of the decision tree for our risk calculator. A scoring algorithm, used in conjunction with these criteria, ensures that each evaluation accurately reflects the appropriate risk level.

1. Exploitation
   1. None: There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.
   2. PoC: One of the following cases is true: (1) private evidence of exploitation is attested but not shared; (2) widespread hearsay attests to exploitation; (3) typical public PoC in places such as ExploitDB; or (4) the vulnerability has a well-known method of exploitation.
   3. Active: Shared, observable, reliable evidence that the exploit is being used in the wild by real attackers; there is credible public reporting.
2. Exposure
   1. Secondary: Extension or component utilized on low user base Wikis or non-wiki projects.
   2. Limited: The vulnerability may potentially impact medium-sized Wikis, posing risks to the confidentiality, integrity, and availability of the affected Wikis. The vulnerable component, extension, or service might also have a low code ownership score (i.e. owner unknown or inactive).
   3. Critical: The vulnerability has the potential to affect widely accessed Wikis, compromising confidentiality, integrity, and availability. It could be affecting MediaWiki core and may require an urgent remediation plan.
3. Safety and Privacy Impact
   1. Minor: The effect is below the threshold for all aspects described in Moderate.
   2. Moderate: There could be the potential to impact on the privacy and safety of wikis and users, such as isolated instances of online harassment, unauthorized actions or data manipulation.
   3. Major: The potential consequences for users could be significant, encompassing risk to their privacy and/or physical well-being due to compromised personal accounts, data leakage or account takeover.  
4. System Impact
   1. Limited: Little to no impact up to degradation of non-essential functions.
   2. Degraded: There may be notable effects on functionality or vulnerabilities that could escalate to cause more severe consequences.
   3. Crippled: Activities that directly support essential functions are crippled; essential functions continue for a time.

To use the tool and start making decisions, simply select an option for each criterion. The tool will automatically generate a risk score based on the values you provide.

The form will automatically generate a decision value, providing an accurate risk score. Currently, the risk scores and their corresponding priorities are as follows:

• Low : Defer - Do not act at present.
• Medium : Scheduled - Act during regularly scheduled maintenance time.
• High : Out-of-Cycle - Act more quickly than usual to apply the mitigation or remediation out-of-cycle during the next available opportunity, working overtime if necessary.
• Critical : Immediate - Act immediately; focus all resources on applying the fix as quickly as possible, including, if necessary, pausing regular organization operations.

This calculator is currently utilized by the security team to evaluate existing bugs addressed in supplemental security releases. Here are the current results from past release:

• Wikimedia Risk Calculator
• Gitlab repository
• Wikimedia Risk Calculator on Toolforge
• SSVC repository