On a Friday evening in November of 2012, an errant line of code was found in MediaWiki, the software supporting Wikimedia sites and thousands of other wikis.
This potentially affected all of the sites in the world’s fifth most visited web property, including Wikipedia, Wikimedia Commons, Wiktionary, etc. It was a fixable security problem, but only if Wikimedia’s engineers were aware of the flaw.
At another website, this would be the type of problem that could generate thousands of disgruntled users. Or worse.
But at the Wikimedia Foundation, even outside normal office hours, a problem like this is flagged as a bug and listed as an issue almost immediately. And not always by developers who work for the Foundation.
In this case, Wikipedia User:PleaseStand spotted the flaw and filed a report, which then went through the chain of communication to the security team. The bug was fixed before any noticeable damage was done.
This is of course every website administrator’s dream – a Good Samaritan user quietly and diligently pointing out security flaws. But that goodwill doesn’t exist just anywhere.
“We usually don’t directly reach out to volunteers and ask them to actively look for security issues,” says Roan Kattouw, a Senior Software Engineer at the Wikimedia Foundation and a lead developer on MediaWiki. “Usually they approach us because they find an issue.”
Kattouw knows the process well. He started as a volunteer developer in the Wikimedia movement before joining the engineering team at the Foundation. He now works with volunteer developers to patch up holes in the MediaWiki code.