Wikimedia Italia/Reporting security bugs
If you have found a security bug in Wikimedia Italia and you don't know what to do, you are in the right page.
We support responsible disclosure and we hope that anyone who finds a potential security issue in our ecosystem acts with discretion and forbearance.
What is considered a security issue
This is a general outline and not an exclusive listing of possibilities.
- issues that affect the availability of one of more services that are part of the Wikimedia ecosystem, but in particular when this is the result of a hostile set of actions or campaign.
- when the integrity of data hosted by the Wikimedia Foundation or affiliated entities is at risk of being corrupted, tampered with, or otherwise modified in an unauthorized manner.
- when the confidentiality of data owned by the Wikimedia Foundation or its affiliated entities is compromised, such that information meant to be restricted or private is leaked, revealed, stolen, or exfiltrated in an unauthorized manner.
Thank you for making the Internet a safer place.
How to report security issue
If you believe you have found a security problem in Wikimedia Italia, do not publish it anywhere or in any mailing list but report it privately to the specific maintainer of the specific service.
Note that the maintainer is almost certainly a volunteer. Please be kind.
Details will only be publishable once a resolution has been released into production or if the issue has been disproved.
The index of our services and technologies can help you reach the maintainer of the service in question.
For any doubt, contact the office of Wikimedia Italia directly without attaching any confidential detail but simply asking to be put in contact with the current maintainer of the involved technology.
- or the generic contact page (phone number available)
Once you get in touch with the maintainer of the service in question, we have some tips for your security issue report.
What to include in a security issue report
In short, be clear and brief but include as much details as possible.
Some of these details:
- step-by-step instructions to reproduce the issue
- if possible, proof-of-concept code demonstrating the issue is a best practice
- if the vulnerability can be reproduced on a Wikimedia project (such as Wikipedia or Wiktionary) please indicate which as site configurations vary
- if applicable, indicate if you are logged in or logged out when the issue occurs
- for XSS or vulnerabilities that require a specific browser or plugin, please indicate which browser and version you are using. Specific version of any software used will be helpful.
- OWASP vulnerability category (using OWASP Top 10 for 2017), or CWE id (using CWE By Research Concepts)
- CVE if assigned (using the NIST CVE database)
- any other information needed to investigate and reproduce the issue
Wikimedia Italia will give public thanks those who report security issues as described in this page.
We know you don't do it to get free gadgets. Anyway we also have free gadgets. We also have more for you, if you have been particularly cooperative (and we're not just talking about pineapple-free pizza).
Hall of Glory
- User:Dylsss: thank you for reporting a data leak in https://wiki.wikimedia.it/ (phabricator:T306587)
- User:Ferdi2005: thank you for reporting a data leak in a shared link from WMIT's NextCloud