The Wikijump Team prioritizes security and will fix issues as soon as they are disclosed.
If you discover a security vulnerability, please privately contact the Wikijump Security Team. This can be done by emailing security@wikijump.org, or reaching out to a member individually:
| GitHub | Wikidot | Discord | |
|---|---|---|---|
| @emmiegit | aismallard | aismallard#0002 |
emmie.maeda@gmail.com |
| @stormbreath | stormbreath | ||
| @rossjrw | Croquembouche | ross@rossjrw.com | |
| @danieltharp | pxdnbluesoul | daniel.tharp@gmail.com |
After receiving a report of a security issue within Wikijump, we will confirm its receipt within 48 hours. After we have validated and determined its scope, we will send a more detailed response within 72 hours. When a fix has been merged in and deployed, you will be notified privately. If this security issue impacts Wikijump only, you may then disclose it publicly.
The Wikijump Security Team also receives reports of security issues within Wikidot. We encourage you to report any vulnerabilities or exploits you discover.
However, standard security disclosure cannot apply here, for three important reasons:
- Wikidot is controlled by a third-party, so we are unable to apply security patches.
- Wikidot is completely unmaintained, so even severe vulnerabilities will not be fixed.
- Wikidot is actively used by a large number of users, and public disclosure of a vulnerability has the potential to cause a significant amount of harm with no recourse.
Because of this, the strategy we utilize is (unfortunately) based on mitigation and concealment. When you make your report, we will document it privately like other vulnerabilities, and assess its level of current impact. If any occurrences of the issue are found in the wild, every effort will be made to remove or replace them, while minimizing the number of people aware of the issue. If needed, a minimal number of administrators of large Wikidot sites will be made aware of recommended mitigations. Finally, the potential impact on Wikijump will be determined, and if the issue is also present there, it will be promptly fixed.
As such, you will be asked to not discuss the exploit. This request will only be lifted in the very unlikely scenario that Wikidot releases a patch.
We will not create an issue on feedback.wikidot.com, both because it is public and will become known to any potential bad actors, but because the issue is extremely unlikely to be fixed. If a method of contacting Wikidot, Inc. is found that is able to result in fixes to issues, we will use this to patch the vulnerabilities under our purview.
We understand that this is not in line with typical practices for responsible disclosure, but due to the constraints of our lack of platform autonomy and the potential massive impact of malicious use of vulnerabilities, this is our current strategy.
We acknowledge that concealment is not a substitute for proper patching, and that this is a temporary procedure until we are able to migrate fully onto Wikijump.
If you have questions, please contact a member of the Wikijump Security Team.