This page explains how the Wikimedia Security Team is organizing its documentation.
To report security bugs, vulnerabilities, or other issues, please follow our process.
Introduction
Security is a broad topic across the Wikimedia Foundation and the wider community.
Contexts when we talk about Security include (but are not limited to):
- Training materials published by community members for the wider world
- Training materials for WMF staff
- Training materials for MediaWiki developers
- Information about the Wikimedia Foundation Security Team
- Information about Wikimedia Foundation Security Policy
- Details about MediaWiki as a project
- Standard Operating Procedures (SOPs) for reporting issues
- Procedural guides for implementation of features or extensions
- Governance issues
- Compliance issues
- Risk management frameworks
- ...
These areas can also have different practical outcomes for different projects and communities, and so there is a lot to digest and sort through to find out about any particular topic. Because of this complexity, the Wikimedia Security team is adopting a few strategies to maintain the spaces in which it curates documentation. The scope is only pages which the Wikimedia Security team is committed to maintaining in service to other teams and communities.
Goals for this documentation strategy
- Improve discoverability through consistency in structure
- Improve consistency through documenting the intended structure and expectations (this page, among others)
- Improve quality through active curation
- Improve transparency by continually examining the need for confidentiality where it exists
- The Security Team has commitments within our team for adhering to this framework in our handbook.
Projects where this strategy is being employed
| Project | Use by Wikimedia Security Team |
|---|---|
| mediawiki.org | General content for Policy, SOP, etc. Team landing page. |
| meta.wikimedia.org | Policy and other content for translation. |
| office.wikimedia.org | Sensitive or private content |
| foundation.wikimedia.org | Canonical location for Policy |
| wikitech.wikimedia.org | Procedural or instructional material that is not training |
Use of a predictable landing page in /wiki/Security
On the applicable projects we plan to use /wiki/Security as a common landing page. These pages will be interlinked between projects, and will strive to function as a funnel for the user to the appropriate content. The intention is that this common entry point will allow us to structure other content around it, and as subpages under it.
Curation guiding principles
Pages that relate to the Wikimedia Security team can sometimes have unusual or distinct best practices:
- Sometimes stale content is worse than no content as, even in the case of draft of other notices, users will acquire a false sense of safety. In these cases, completely stagnant pages for which there is no maintained current alternative may be best redirected to the landing page of /wiki/Security, or in the case of team oriented documentation to the team's landing page.
- Use of subpages for discovery under /wiki/Security is encouraged if consistent
- Office.wikimedia.org should only be used for confidential content which is not public. Other pages, even if informal, should live on mediawiki.org
- Use of page moving as process for content maturity development is encouraged if consistent and documented. Example for Policy creation: /wiki/Security/Policy/Draft/Foo (initial wording) => /wiki/Security/Policy/Candidates/Foo (soliciting feedback) => /wiki/Security/Policy/Foo (as a redirect to version for translation on meta once approved).
- Define an official process and a single page for reporting security issues. This should be referenced (at a minimum) on every /wiki/Security landing page.
Cross-wiki Path Conventions
| /wiki | Purpose |
|---|---|
| /Security | Main landing page |
| /Security/SOP | Procedures and processes for Security and Governance |
| /Security/SOP/Draft | SOP drafts landing page |
| /Security/Policy | Policy landing page |
| /Security/Policy/Candidates | Needed policy ideas and notes |
| /Security/Policy/Draft | Policy drafts landing page |
| /Security/Policy/Abandoned | Policy that does not pass solicitation phase |
| /Security/Training | Training materials for a variety of audiences |
| /Security/Standards | Standard and how-to documentation and official guides |
| /Security/Standards/Candidates | Needed standards and how-to ideas and notes |
| /Security/Standards/Draft | Standards and how-to drafts landing page |
| /Security/Guides | Best practice documentation and official guides |
| /Security/Guides/Candidates | Needed best practice or guideline ideas and notes |
| /Security/Guides/Draft | Best practice and guideline drafts landing page |
| /Security/Services | Listing of available Security services |
| /Security/Services/Candidates | Listing of potential services |
| /Security/Services/Draft | Security services in development |
| /Wikimedia_Security_Team | If applicable, team page for specific projects. Usually a redirect to Wikimedia Security Team |
| /Wikimedia_Security_Team/WIP | Immature team materials and work product |
| /Wikimedia_Security_Team/Onboarding | Onboarding workflows and landing page (kept on Officewiki) |
| /Wikimedia_Security_Team/Onboarding/<user> | Onboarding user pages and notes (kept on officewiki) |
| /Wikimedia_Security_Team/Team_Practices | Team meetings, handbook, etc. (kept on Officewiki) |