Add security.txt to Wikimedia sites? (2023 edition)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Reedy
	Jun 1 2023, 3:19 PM

Description

Following up on T187617: Add security.txt to Wikimedia sites?.

https://securitytxt.org/

https://github.com/securitytxt/security-txt

https://www.rfc-editor.org/rfc/rfc9116

The RFC has moved on a lot since 2018.

Also,

security.txt files have been implemented by Google, Facebook, GitHub, the UK government, and many other organisations. In addition, the UK’s Ministry of Justice, the Cybersecurity and Infrastructure Security Agency (US), the French government, the Italian government, the Dutch government, and the Australian Cyber Security Centre endorse the use of security.txt files.

Details

	Subject	Repo	Branch	Lines /-
	Implement security.txt standard	operations/mediawiki-config	master	8 -0
	Implementing security.txt standard	operations/mediawiki-config	master	0 -0

Customize query in gerrit

Related Objects

Mentioned In: T366005: Remove docroot/wikimediafoundation.org/ folder from mediawiki-config
Mentioned Here: T187617: Add security.txt to Wikimedia sites?

Event Timeline

Reedy created this task.Jun 1 2023, 3:19 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 1 2023, 3:19 PM

RhinosF1 subscribed.Jun 1 2023, 3:22 PM

TheresNoTime awarded a token.Jun 1 2023, 5:06 PM

TheresNoTime subscribed.

Izno awarded a token.Jun 1 2023, 7:34 PM

MatthewVernon added a project: Infrastructure-Foundations.Jun 5 2023, 12:39 PM

sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 5 2023, 4:16 PM

sbassett added a project: SecTeam-Processed.

Dzahn subscribed.Jun 7 2023, 6:15 PM

Soda awarded a token.Aug 26 2023, 11:13 AM

Frostly awarded a token.Nov 13 2023, 5:41 AM

Frostly subscribed.

joanna_borun removed a project: Infrastructure-Foundations.Jan 29 2024, 3:46 PM

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

In T337949#9497483, @LSobanski wrote:

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

If we want to go that path (which I think makes sense, but is low prio), the decision (and filling in the data) would be for the security team. Who then eventually takes care of making sure we serve the file is TBD. We can also just drop SRE for now and then add it back when there is progress to the state that it needs SRE involvement.

ABran-WMF triaged this task as Medium priority.Jan 30 2024, 10:06 AM

Removing SRE, please add us back when the decision to implement this has been made.

sbassett raised the priority of this task from Medium to Needs Triage.Feb 6 2024, 4:01 PM

sbassett moved this task from Watching to Incoming on the Security-Team board.

sbassett removed a project: SecTeam-Processed.

• Cleo_Lemoisson assigned this task to mmartorana.Feb 12 2024, 5:19 PM

• Cleo_Lemoisson added a project: SecTeam-Processed.

sbassett changed the task status from Open to In Progress.Feb 12 2024, 5:20 PM

sbassett triaged this task as Low priority.

sbassett moved this task from Incoming to In Progress on the Security-Team board.

In T337949#9497580, @MoritzMuehlenhoff wrote:

In T337949#9497483, @LSobanski wrote:

AS the original task was declined without comment, it would be helpful to understand what the input we're looking for in this task is (from SRE but also in general)? And who would be the decision maker, Security-Team?

If we want to go that path (which I think makes sense, but is low prio), the decision (and filling in the data) would be for the security team. Who then eventually takes care of making sure we serve the file is TBD. We can also just drop SRE for now and then add it back when there is progress to the state that it needs SRE involvement.

I think incorporating a security.txt file could be an improvement of our security posture. It's already recognized as an accepted standard, making it a best practice worth considering. It could also help streamline the reporting process for security vulnerabilities and help ensuring that any issues are addressed efficiently.

Before committing to filling out the necessary data, we would need input from the SRE team to assess its feasibility.

Daimona awarded a token.Feb 22 2024, 3:01 AM

Daimona subscribed.

mmartorana claimed this task.Mar 11 2024, 4:53 PM

Change 1010970 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[operations/mediawiki-config@master] Implementing security.txt standard

https://gerrit.wikimedia.org/r/1010970

gerritbot added a project: Patch-For-Review.Mar 14 2024, 4:17 PM

Change 1010970 abandoned by Mmartorana:

[operations/mediawiki-config@master] Implementing security.txt standard

Reason:

https://gerrit.wikimedia.org/r/1010970