Wikimedia Security Team/Documentation

This page explains how the Wikimedia Security Team is organizing its documentation.

To report security bugs, vulnerabilities, or other issues, please follow our process.

Introduction

edit

Security is a broad topic across the Wikimedia Foundation and the wider community.

Contexts when we talk about Security include (but are not limited to):

  • Training materials published by community members for the wider world
  • Training materials for WMF staff
  • Training materials for MediaWiki developers
  • Information about the Wikimedia Foundation Security Team
  • Information about Wikimedia Foundation Security Policy
  • Details about MediaWiki as a project
  • Standard Operating Procedures (SOPs) for reporting issues
  • Procedural guides for implementation of features or extensions
  • Governance issues
  • Compliance issues
  • Risk management frameworks
  • ...

These areas can also have different practical outcomes for different projects and communities, and so there is a lot to digest and sort through to find out about any particular topic. Because of this complexity, the Wikimedia Security team is adopting a few strategies to maintain the spaces in which it curates documentation. The scope is only pages which the Wikimedia Security team is committed to maintaining in service to other teams and communities.

Goals for this documentation strategy

edit
  • Improve discoverability through consistency in structure
  • Improve consistency through documenting the intended structure and expectations (this page, among others)
  • Improve quality through active curation
  • Improve transparency by continually examining the need for confidentiality where it exists
  • The Security Team has commitments within our team for adhering to this framework in our handbook.

Projects where this strategy is being employed

edit
Project Use by Wikimedia Security Team
mediawiki.org General content for Policy, SOP, etc. Team landing page.
meta.wikimedia.org Policy and other content for translation.
office.wikimedia.org Sensitive or private content
foundation.wikimedia.org Canonical location for Policy
wikitech.wikimedia.org Procedural or instructional material that is not training

Use of a predictable landing page in /wiki/Security

edit

On the applicable projects we plan to use /wiki/Security as a common landing page. These pages will be interlinked between projects, and will strive to function as a funnel for the user to the appropriate content. The intention is that this common entry point will allow us to structure other content around it, and as subpages under it.

Curation guiding principles

edit

Pages that relate to the Wikimedia Security team can sometimes have unusual or distinct best practices:

  • Sometimes stale content is worse than no content as, even in the case of draft of other notices, users will acquire a false sense of safety. In these cases, completely stagnant pages for which there is no maintained current alternative may be best redirected to the landing page of /wiki/Security, or in the case of team oriented documentation to the team's landing page.
  • Use of subpages for discovery under /wiki/Security is encouraged if consistent
  • Office.wikimedia.org should only be used for confidential content which is not public. Other pages, even if informal, should live on mediawiki.org
  • Use of page moving as process for content maturity development is encouraged if consistent and documented. Example for Policy creation: /wiki/Security/Policy/Draft/Foo (initial wording) => /wiki/Security/Policy/Candidates/Foo (soliciting feedback) => /wiki/Security/Policy/Foo (as a redirect to version for translation on meta once approved).
  • Define an official process and a single page for reporting security issues. This should be referenced (at a minimum) on every /wiki/Security landing page.

Cross-wiki Path Conventions

edit
/wiki Purpose
/Security Main landing page
/Security/SOP Procedures and processes for Security and Governance
/Security/SOP/Draft SOP drafts landing page
/Security/Policy Policy landing page
/Security/Policy/Candidates Needed policy ideas and notes
/Security/Policy/Draft Policy drafts landing page
/Security/Policy/Abandoned Policy that does not pass solicitation phase
/Security/Training Training materials for a variety of audiences
/Security/Standards Standard and how-to documentation and official guides
/Security/Standards/Candidates Needed standards and how-to ideas and notes
/Security/Standards/Draft Standards and how-to drafts landing page
/Security/Guides Best practice documentation and official guides
/Security/Guides/Candidates Needed best practice or guideline ideas and notes
/Security/Guides/Draft Best practice and guideline drafts landing page
/Security/Services Listing of available Security services
/Security/Services/Candidates Listing of potential services
/Security/Services/Draft Security services in development
/Wikimedia_Security_Team If applicable, team page for specific projects. Usually a redirect to Wikimedia Security Team
/Wikimedia_Security_Team/WIP Immature team materials and work product
/Wikimedia_Security_Team/Onboarding Onboarding workflows and landing page (kept on Officewiki)
/Wikimedia_Security_Team/Onboarding/<user> Onboarding user pages and notes (kept on officewiki)
/Wikimedia_Security_Team/Team_Practices Team meetings, handbook, etc. (kept on Officewiki)

Categories in Use

edit

Wikimedia Security Team

Security