Talk:Reporting security bugs

Latest comment: 22 days ago by SBassett (WMF) in topic Contributing patches

Redundancy

edit

This page partly duplicates Security and is less discoverable. Can the two be merged or coordinated in some way, please? --Nemo 12:05, 31 January 2017 (UTC)Reply

When should a bug be reported as a security issue?

edit

Sometimes, I find a bug and I don't really know if it should be considered as a security issue or not. It would be useful to have some criteria on this page.

To give examples: I didn't report phab:T33656, phab:T45137, phab:T102063 and phab:T150796 as security bugs. The last one was marked marked as a security bug afterwards. Should I have reported the others as such?

Of course, I could just mark bugs as security when I'm not sure and let the security team decide. But the resources to fix those issues seem limited (since only a small number of people can see them), so I don't want to needlessly do it.

Orlodrim (talk) 22:05, 23 May 2019 (UTC)Reply

Contributing patches

edit

It would probably make sense to add some additional language in this section for Gitlab and Github, since some Wikimedia code canonically lives under those git front-ends now. It likely makes sense to have a less strict policy for many of those repos. Maybe for things that aren't part of the bundled/core security release or services and code which are not deployed to Wikimedia production, we should advise contacting a project maintainer when a security PR/MR/change-set is about to be posted publicly? SBassett (WMF) (talk) 21:21, 10 October 2024 (UTC)Reply

Return to "Reporting security bugs" page.