Responsible Disclosure

The Organized Crime and Corruption Reporting Project works with dozens of investigative journalism organizations and hundreds of journalists around the globe. Security of our sources and colleagues is our top priority.

All software has bugs. We run a number of websites and services, adding up to millions of lines of code. While we strive to test and secure them as well as possible, our resources are limited. That is why we highly appreciate any responsibly disclosed information regarding potential vulnerabilities or security issues with our services.

Responsible Disclosure Policy

The point of contact is [email protected], PGP/GPG fingerprint: 8AA2 D5B4 A0B5 B3DA E547 238C 5237 8B24 FB18 D161.

Rules

  • When you are creating an evaluation account for research purposes, please add the “bugbounty_” prefix to the username of your evaluation account. Only applies for systems that allow user signup for evaluation purposes.

  • If you stumble upon sensitive information, such as personal information, credentials, etc., during the assessment; do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.

  • Do not perform social engineering, phishing, and physical security attacks against offices, users, or employees.

  • Stay within the scope of the responsible disclosure program.

  • Be respectful when you are interacting with our team.

  • If you do not follow the rules, you may be banned from the responsible disclosure program.

  • We reserve the right to modify the rules for this program or deem any submissions invalid at any time. We may cancel the responsible disclosure program without notice at any time.

  • Please report to [email protected] and do not open issues on Github or other public channels.

What is in scope?

Please do not report:

  • Attacks requiring DNS takeover

  • Clickjacking without demonstration of impact

  • Denial of Service vulnerabilities by using an overload of processing power or requests

  • Mail relay server configuration issues

  • Missing/loosely configured DNS SPF records

  • Missing DNSSEC

  • Missing Public Key Pinning headers

  • Self-XSS

  • Software version disclosure

  • XSS requiring legacy browsers

What to expect

  • Please send information about security issues to [email protected].

  • Please allow up to 5 working days for us to contact you.

  • We will coordinate with you on the advisory and security fix release date.

Disclosure

This program allows responsible disclosure and we will work with you if you want to publish a blogpost.

Compensation

As a non-profit we are sadly unable to offer any compensation for disclosed security issues. We will however gladly give credit to anyone responsibly disclosing a security issue to us.

Hall of Fame

We would like to thank all organizations and hackers who helped us, our colleagues, and our sources stay safe and secure by responsibly disclosing security issues affecting our services.

nhiephon

Found an exposed public Google Maps API link in VIS.

Aditya Soni

Reported an exposed Ruby server running in debug mode that caused an information leakage.

Shivam Pandey

Reported an problem in our external newsletter service provider.

Ratnadip Gajbhiye

Reported a misconfiguration of clickjacking protection in VIS, along with several minor issues in other OCCRP projects.

Savan

Reported a misconfiguration allowing to perform a clickjacking attack.

Sajibe Kanti

Reported a number of misconfiguration issues in OCCRP's Secure Sign-in that could in certain very specific circumstances lead to limited unauthorized information disclosure.

Special Thanks

YesWeHack

YesWeHack

YesWeHack helped OCCRP keep VIS and Investigative Dashboard safe by running bug bounty programs on their BountyFactory site. The programs proved to be an effective way to find vulnerabilities and provided invaluable information regarding actual and potential security problems in services in question. This allowed us to fix both

Read more