nhiephon
Found an exposed public Google Maps API link in VIS.
The Organized Crime and Corruption Reporting Project works with dozens of investigative journalism organizations and hundreds of journalists around the globe. Security of our sources and colleagues is our top priority.
All software has bugs. We run a number of websites and services, adding up to millions of lines of code. While we strive to test and secure them as well as possible, our resources are limited. That is why we highly appreciate any responsibly disclosed information regarding potential vulnerabilities or security issues with our services.
Responsible Disclosure Policy
The point of contact is security@occrp.org, PGP/GPG fingerprint: 8AA2 D5B4 A0B5 B3DA E547 238C 5237 8B24 FB18 D161.
Rules
When you are creating an evaluation account for research purposes, please add the “bugbounty_” prefix to the username of your evaluation account. Only applies for systems that allow user signup for evaluation purposes.
If you stumble upon sensitive information, such as personal information, credentials, etc., during the assessment; do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
Do not perform social engineering, phishing, and physical security attacks against offices, users, or employees.
Stay within the scope of the responsible disclosure program.
Be respectful when you are interacting with our team.
If you do not follow the rules, you may be banned from the responsible disclosure program.
We reserve the right to modify the rules for this program or deem any submissions invalid at any time. We may cancel the responsible disclosure program without notice at any time.
Please report to security@occrp.org and do not open issues on Github or other public channels.
What is in scope?
Services available at occrp.org and *.occrp.org, including aleph.occrp.org
Supported versions of the Aleph open-source software published in the GitHub source code repository
Please do not report:
Attacks requiring DNS takeover
Clickjacking without demonstration of impact
Denial of Service vulnerabilities by using an overload of processing power or requests
Mail relay server configuration issues
Missing/loosely configured DNS SPF records
Missing DNSSEC
Missing Public Key Pinning headers
Self-XSS
Software version disclosure
XSS requiring legacy browsers
What to expect
Please send information about security issues to security@occrp.org.
Please allow up to 5 working days for us to contact you.
We will coordinate with you on the advisory and security fix release date.
Disclosure
This program allows responsible disclosure and we will work with you if you want to publish a blogpost.
Compensation
As a non-profit we are sadly unable to offer any compensation for disclosed security issues. We will however gladly give credit to anyone responsibly disclosing a security issue to us.
Hall of Fame
We would like to thank all organizations and hackers who helped us, our colleagues, and our sources stay safe and secure by responsibly disclosing security issues affecting our services.
