Talk:Reporting security bugs

This page partly duplicates Security and is less discoverable. Can the two be merged or coordinated in some way, please? --Nemo 12:05, 31 January 2017 (UTC)Reply

Sometimes, I find a bug and I don't really know if it should be considered as a security issue or not. It would be useful to have some criteria on this page.

To give examples: I didn't report phab:T33656, phab:T45137, phab:T102063 and phab:T150796 as security bugs. The last one was marked marked as a security bug afterwards. Should I have reported the others as such?

Of course, I could just mark bugs as security when I'm not sure and let the security team decide. But the resources to fix those issues seem limited (since only a small number of people can see them), so I don't want to needlessly do it.

Orlodrim (talk) 22:05, 23 May 2019 (UTC)Reply

It would probably make sense to add some additional language in this section for Gitlab and Github, since some Wikimedia code canonically lives under those git front-ends now. It likely makes sense to have a less strict policy for many of those repos. Maybe for things that aren't part of the bundled/core security release or services and code which are not deployed to Wikimedia production, we should advise contacting a project maintainer when a security PR/MR/change-set is about to be posted publicly? SBassett (WMF) (talk) 21:21, 10 October 2024 (UTC)Reply