On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk <kren...@gmail.com> wrote: > Chris, why don't we leave privacy policy compliance to the users posting on > the bug? Wikimedia personal user data shouldn't be going to the security > product.
There are a few cases where there may be legitimate private data in a security bug ("look, sql injection, and here are some rows from the user table!", "Hey, this was supposed to be suppressed, and I can see it", "This user circumvented the block on this IP"). But there might be ways to flag or categorize a report as also including private data? Someone with more bugzilla experience would need to comment. > Why does WMF get the right to control by access to MediaWiki security bugs > anyway? Could we not simply host MediaWiki stuff externally? Perhaps on the > servers of any other major MediaWiki user. This certainly could be done. That "other major MediaWiki user" would have to be someone everyone trusts, and preferably with a strong track record of being able to keep their infrastructure secure. If there's a legitimate proposal to try it, let's definitely discuss. > Alex > Sent from phone > > On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo <tylerro...@gmail.com> wrote: >> Hey everybody, >> >> So today at the iSEC Partners security open forum I heard a talk from Zane >> Lackey, >> the former security lead for Etsy, concerning the effectiveness of bug >> bounties. >> >> He made two points: >> >> 1) Bug bounties are unlikely to cause harm, especially for Wikipedia, > which >> I asked >> him about, because the mere popularity of our service means we are already >> being >> scanned, pentested, etc. With a bounty program, there will be incentive > for >> people to >> report those bugs rather than pastebin them. >> >> 2) Even without a monetary reward, which I imagine WMF would not be able > to >> supply, >> crackers are motivated simply by the "hall of fame", or being able to be >> recognized for >> their efforts. >> >> Therefore, I thought it may be beneficial to take that over to Wikipedia > and >> start our own >> bug bounty program. Most likely, it would be strictly a hall of fame like >> structure where >> people would be recognized for submitting bug reports (maybe we could even >> use the >> OpenBadges extension *wink* *wink*). It would help by increasing the > number >> of bugs >> (both security and non-security) that are found and reported to us. >> >> Any thoughts? (Of course, Chris would have to approve of this program > before >> we even >> consider it.) > > I've been thinking of at least putting up a list of top contributors > on mediawiki.org for a while, and just hadn't had the time to do it. > If anyone wants to compile that list from the list of closed security > bugs, I'd be very supportive. > > As for a more official program, the downside that I predict we would > quickly hit (from talking to a few people who have run these) is the > high volume of very low quality reports that have to be investigated > and triaged. Which is something that just takes time from a human... > so my evil_plans.txt towards this was (I really had almost this > exactly in my todo list): > * Get more volunteers access to security bugs > ** {{done}} get list of top contributors > ** Find out from Philippe how to get a bunch of volunteers identified > *** Doh, we're probably changing our identification process soon. On hold. > > So, I was planning to wait until we have a more streamlined process > for getting volunteers access to data that could potentially be > covered by our privacy policy, then invite some people who have > contributed significantly to MediaWiki's security in the past to get > access to those bugs and help triage/assign/fix bugs, then look into > starting something official or semi-official. But if a few of you > would be willing to deal with our current identification/NDA process > and are willing to help out investigate report, I'm happy to start > working on it sooner. > >> >> -- >> Tyler Romeo >> 0xC86B42DF > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l