Unfortunately, as the Wikimedia Foundation is a non-profit and charitable organization, it does not pay out bug bounties for disclosing security issues in our projects.
This list is not exhaustive, but should be used as a guide for both in-scope and out-of-scope vulnerabilities, and under which domains they are applicable.
For more information on how to report a security issue in MediaWiki or Wikimedia sites, please see the Reporting Security Bugs page on MediaWiki.org or at HackerOne.
In-scope domains
- mediawiki.org
- w.wiki
- wikibooks.org
- wikidata.org
- wikimedia.com
- wikimedia.org
- wikimediafoundation.org
- wikinews.org
- wikipedia.org
- wikinews.org
- wikisource.org
- wikiversity.org
- wikivoyage.org
- wiktionary.org
Examples of in-scope vulnerabilities
- Remote Code Execution (RCE)
- SQL injection (SQLi)
- Authorization bypass/escalation
- Sensitive information leaks
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
Examples of out-of-scope vulnerabilities
- SPF configuration, or lack thereof
- DKIM configuration, or lack thereof
- DMARC configuration, or lack thereof
- Clickjacking, also known as a "UI redress attack"
- That "anyone can edit" our projects
- Source code disclosures (unless it's a password/auth key); our code is open source
- Assumed vulnerabilities based upon version numbers only