On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk <kren...@gmail.com> wrote:
> Chris, why don't we leave privacy policy compliance to the users posting on
> the bug? Wikimedia personal user data shouldn't be going to the security
> product.
There are a few cases where there may be legitimate private data in a
security bug ("look, sql injection, and here are some rows from the
user table!", "Hey, this was supposed to be suppressed, and I can see
it", "This user circumvented the block on this IP"). But there might
be ways to flag or categorize a report as also including private data?
Someone with more bugzilla experience would need to comment.
> Why does WMF get the right to control by access to MediaWiki security bugs
> anyway? Could we not simply host MediaWiki stuff externally? Perhaps on the
> servers of any other major MediaWiki user.
This certainly could be done. That "other major MediaWiki user" would
have to be someone everyone trusts, and preferably with a strong track
record of being able to keep their infrastructure secure. If there's a
legitimate proposal to try it, let's definitely discuss.
> Alex
> Sent from phone
>
> On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo <tylerro...@gmail.com> wrote:
>> Hey everybody,
>>
>> So today at the iSEC Partners security open forum I heard a talk from Zane
>> Lackey,
>> the former security lead for Etsy, concerning the effectiveness of bug
>> bounties.
>>
>> He made two points:
>>
>> 1) Bug bounties are unlikely to cause harm, especially for Wikipedia,
> which
>> I asked
>> him about, because the mere popularity of our service means we are already
>> being
>> scanned, pentested, etc. With a bounty program, there will be incentive
> for
>> people to
>> report those bugs rather than pastebin them.
>>
>> 2) Even without a monetary reward, which I imagine WMF would not be able
> to
>> supply,
>> crackers are motivated simply by the "hall of fame", or being able to be
>> recognized for
>> their efforts.
>>
>> Therefore, I thought it may be beneficial to take that over to Wikipedia
> and
>> start our own
>> bug bounty program. Most likely, it would be strictly a hall of fame like
>> structure where
>> people would be recognized for submitting bug reports (maybe we could even
>> use the
>> OpenBadges extension *wink* *wink*). It would help by increasing the
> number
>> of bugs
>> (both security and non-security) that are found and reported to us.
>>
>> Any thoughts? (Of course, Chris would have to approve of this program
> before
>> we even
>> consider it.)
>
> I've been thinking of at least putting up a list of top contributors
> on mediawiki.org for a while, and just hadn't had the time to do it.
> If anyone wants to compile that list from the list of closed security
> bugs, I'd be very supportive.
>
> As for a more official program, the downside that I predict we would
> quickly hit (from talking to a few people who have run these) is the
> high volume of very low quality reports that have to be investigated
> and triaged. Which is something that just takes time from a human...
> so my evil_plans.txt towards this was (I really had almost this
> exactly in my todo list):
> * Get more volunteers access to security bugs
> ** {{done}} get list of top contributors
> ** Find out from Philippe how to get a bunch of volunteers identified
> *** Doh, we're probably changing our identification process soon. On hold.
>
> So, I was planning to wait until we have a more streamlined process
> for getting volunteers access to data that could potentially be
> covered by our privacy policy, then invite some people who have
> contributed significantly to MediaWiki's security in the past to get
> access to those bugs and help triage/assign/fix bugs, then look into
> starting something official or semi-official. But if a few of you
> would be willing to deal with our current identification/NDA process
> and are willing to help out investigate report, I'm happy to start
> working on it sooner.
>
>>
>> --
>> Tyler Romeo
>> 0xC86B42DF
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
