Wikimedia Italia/Reporting security bugs

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
This page contains changes which are not marked for translation.
Imbox style.png
How to report a security bug to Wikimedia Italia.
In short, write an amazing security report and send it to Wikimedia Italia in private!
Thank you!

If you have found a security bug in Wikimedia Italia and you don't know what to do, you are in the right page.

We support responsible disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance.

What is considered a security issue[edit]

This is a general outline and not an exclusive listing of possibilities.

  • issues that affect the availability of one of more services that are part of the Wikimedia ecosystem, but in particular when this is the result of a hostile set of actions or campaign.
  • when the integrity of data hosted by the Wikimedia Foundation or affiliated entities is at risk of being corrupted, tampered with, or otherwise modified in an unauthorized manner.
  • when the confidentiality of data owned by the Wikimedia Foundation or its affiliated entities is compromised, such that information meant to be restricted or private is leaked, revealed, stolen, or exfiltrated in an unauthorized manner.

Thank you for making the Internet a safer place.

How to report security issue[edit]

If you believe you have found a security problem in Wikimedia Italia, do not publish it anywhere or in any mailing list but report it privately to the specific maintainer of the specific service.

Note that the maintainer is almost certainly a volunteer. Please be kind.

Details will only be publishable once a resolution has been released into production or if the issue has been disproved.

The index of our services and technologies can help you reach the maintainer of the service in question.

For any doubt, contact the office of Wikimedia Italia directly without attaching any confidential detail but simply asking to be put in contact with the current maintainer of the involved technology.

Once you get in touch with the maintainer of the service in question, we have some tips for your security issue report.

What to include in a security issue report[edit]

In short, be clear and brief but include as much details as possible.

Some of these details:

  • step-by-step instructions to reproduce the issue
  • if possible, proof-of-concept code demonstrating the issue is a best practice
  • if the vulnerability can be reproduced on a Wikimedia project (such as Wikipedia or Wiktionary) please indicate which as site configurations vary
  • if applicable, indicate if you are logged in or logged out when the issue occurs
  • for XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using. Specific version of any software used will be helpful.
  • OWASP vulnerability category (using OWASP Top 10 for 2017), or CWE id (using CWE By Research Concepts)7
  • CVE if assigned (using the NIST CVE database)
  • any other information needed to investigate and reproduce the issue

Crediting reporters[edit]

Wikimedia Italia will give public thanks those who report security issues as described in this page.

We know you don't do it to get free gadgets. Anyway we also have free gadgets. We also have more for you, if you have been particularly cooperative (and we're not just talking about pineapple-free pizza).

See also[edit]