nhiephon
Found an exposed public Google Maps API link in VIS.
The Organized Crime and Corruption Reporting Project works with dozens of investigative journalism organizations and hundreds of journalists around the globe. Security of our sources and colleagues is our top priority.
All software has bugs. We run a number of websites and services, adding up to millions of lines of code. While we strive to test and secure them as well as possible, our resources are limited. That is why we highly appreciate any responsibly disclosed information regarding potential vulnerabilities or security issues with our services.
The point of contact is [email protected], PGP/GPG fingerprint: 8AA2 D5B4 A0B5 B3DA E547 238C 5237 8B24 FB18 D161.
Rules
When you are creating an evaluation account for research purposes, please add the “bugbounty_” prefix to the username of your evaluation account. Only applies for systems that allow user signup for evaluation purposes.
If you stumble upon sensitive information, such as personal information, credentials, etc., during the assessment; do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
Do not perform social engineering, phishing, and physical security attacks against offices, users, or employees.
Stay within the scope of the responsible disclosure program.
Be respectful when you are interacting with our team.
If you do not follow the rules, you may be banned from the responsible disclosure program.
We reserve the right to modify the rules for this program or deem any submissions invalid at any time. We may cancel the responsible disclosure program without notice at any time.
Please report to [email protected] and do not open issues on Github or other public channels.
What is in scope?
Services available at occrp.org and *.occrp.org, including aleph.occrp.org
Supported versions of the Aleph open-source software published in the GitHub source code repository
Please do not report:
Attacks requiring DNS takeover
Clickjacking without demonstration of impact
Denial of Service vulnerabilities by using an overload of processing power or requests
Mail relay server configuration issues
Missing/loosely configured DNS SPF records
Missing DNSSEC
Missing Public Key Pinning headers
Self-XSS
Software version disclosure
XSS requiring legacy browsers
What to expect
Please send information about security issues to [email protected].
Please allow up to 5 working days for us to contact you.
We will coordinate with you on the advisory and security fix release date.
Disclosure
This program allows responsible disclosure and we will work with you if you want to publish a blogpost.
Compensation
As a non-profit we are sadly unable to offer any compensation for disclosed security issues. We will however gladly give credit to anyone responsibly disclosing a security issue to us.
We would like to thank all organizations and hackers who helped us, our colleagues, and our sources stay safe and secure by responsibly disclosing security issues affecting our services.
Found an exposed public Google Maps API link in VIS.
Reported an exposed Ruby server running in debug mode that caused an information leakage.
Reported a XSS vulnerability in a POST parameter on Reporting Project's People of Interest investigation.
Reported an exposed .git/config in the OCCRP website.
Reported an problem in our external newsletter service provider.
Reported a misconfiguration of clickjacking protection in VIS, along with several minor issues in other OCCRP projects.
Reported an information disclosure issue OCCRP website.
Reported, as part of the BountyFactory program for OCCRP, an e-mail related security issue with Investigative Dashboard.
Reported, as part of the BountyFactory program for OCCRP, an e-mail related security issue with Investigative Dashboard.
Reported, as part of the BountyFactory program for OCCRP, a security-related caching issue in VIS.
IT researcher from YesWeHack's BountyFactory.io
Reported, as part of the BountyFactory program for OCCRP, an XSS vulnerability in VIS.
Reported, as part of the BountyFactory program for OCCRP, an LFI vulnerability in VIS.
IT researcher from YesWeHack's BountyFactory.io
Reported an SPF misconfiguration issue.
Reported a misconfiguration allowing to perform a clickjacking attack.
Reported, as part of the BountyFactory program for OCCRP, an authentication related security issue with Investigative Dashboard.
Reported, as part of the BountyFactory program for OCCRP, a TLS-related issue with Investigative Dashboard.
Reported, as part of the BountyFactory program for OCCRP, an authentication related security issue with Investigative Dashboard.
Reported, as part of the BountyFactory program for OCCRP, a tabnapping issue with Investigative Dashboard.
Reported a number of misconfiguration issues in OCCRP's Secure Sign-in that could in certain very specific circumstances lead to limited unauthorized information disclosure.
Reported, as part of the BountyFactory program for OCCRP, a number of misconfiguration issues in Investigative Dashboard, including sensitive information leak.
IT researcher from YesWeHack's BountyFactory.io
Reported, as part of the BountyFactory program for OCCRP, a number of misconfiguration issues in Investigative Dashboard, including sensitive information leak.
IT researcher from YesWeHack's BountyFactory.io
Reported, as part of the BountyFactory program for OCCRP, a number of misconfiguration issues in Investigative Dashboard.
IT researcher from YesWeHack's BountyFactory.io
Reported, as part of the BountyFactory program for OCCRP, a number of security issues in VIS, including XSS, CSRF, and RCE vulnerabilities.
YesWeHack
Reported, as part of the BountyFactory program for OCCRP, a number of security issues in VIS, including an XSS vulnerability.