Unfortunately, as the Wikimedia Foundation is a non-profit and charitable organization, it does not pay out bug bounties for disclosing security issues in our projects.
This list is not exhaustive, but should be used as a guide for both in-scope and out-of-scope vulnerabilities, and under which domains they are applicable.
For more information on how to report a security issue in MediaWiki or Wikimedia sites, please see the Reporting Security Bugs page on MediaWiki.org or at HackerOne.
Examples of in-scope vulnerabilities
- Remote Code Execution (RCE)
- SQL injection (SQLi)
- Authorization bypass/escalation
- Sensitive information leaks
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
Examples of out-of-scope vulnerabilities
- SPF configuration, or lack thereof
- DKIM configuration, or lack thereof
- DMARC confirguration, or lack thereof
- That "anyone can edit" our projects
- Source code disclosures (unless it's a password/auth key); our code is open source
- Assumed vulnerabilities based upon version numbers only