Wikimedia Security Team/Security Review Planning/2024-01-09

Minutes for the Security Team's Q3 2023 (FY24) (January to March) quarterly planning session

Date: 2024-01-09

Secscrum board: https://phabricator.wikimedia.org/tag/secscrum/

Attending: CLemoisson-WMF, MMartorana_(WMF), MStyles_(WMF), SBassett_(WMF)

Below is from previous quarter, for now:

Completed Reviews, Previous Quarter

1. Wikipedia ChatGPT - MStyles_(WMF) - T344853#9410749 - Resolving for now, plugin to be retired soon.
2. FundraiseUp Vendor Products - MMartorana_(WMF) - T347104#9249277 - Andy C decided to resolve this as a medium risk, owned by Greg G and Fundraising Tech, within the AppSec Risk Register.
3. Extension:WikimediaCampaignEvents - MMartorana_(WMF) - T350900#9423738 - Resolved as low risk.
4. mck89/peast Vendor Package - SBassett_(WMF) - T347922#9419070 - Resolved as low risk.
5. endroid/qr-code PHP library - MStyles_(WMF) - T339389#9201290 - Resolved as low risk, from the previous quarter.
6. Extension:SpamRegex - MMartorana_(WMF) - T241451#8982475 - Resolved as low risk, from the previous quarter.

Reviews That Need Follow-Up This Quarter

1. Comms Wordpress plugins - MMartorana_(WMF) - T335004 - Needs follow-up, otherwise will go into the risk register as a medium risk.

Updates Made For Other Review Tasks

1. None.

Accepted Reviews To Complete This Quarter

1. MathJax - MMartorana_(WMF) - T354136
2. Matomo and related code - MStyles_(WMF) - T351657
3. Extension:ReportIncident - SBassett_(WMF) - T350253
4. Extension:CommunityConfiguration - MMartorana_(WMF) - T349568
5. Floating UI - SBassett_(WMF) - T349569