IOM Responsible Vulnerability Disclosure Program (VDP)
To improve the protection of its Information and Communication Technologies (ICT) systems and assets, IOM encourages the public to assist with its efforts by disclosing vulnerabilities in IOM’s publicly accessible information systems and assets as well as reporting cybersecurity issues.
What to Report to IOM
The public is invited to report cybersecurity issues, incidents, and details of vulnerabilities associated with publicly accessible IOM ICT systems, including websites.
Information on Vulnerability Reporting
The following should be noted when reporting vulnerabilities and cybersecurity issues and incidents to IOM:
The vulnerability and/or cybersecurity issue or incident should not already be publicly disclosed.
The vulnerability and/or cybersecurity issue or incident should be reported to IOM as quickly as possible after its discovery.
The reporter is expected to keep the vulnerability findings confidential for at least 90 days following the date the vulnerability or cybersecurity issue or incident was reported to IOM or until public disclosure of the vulnerability has been made on this website.
The severity of a vulnerability finding is assessed by IOM at its own discretion.
The name and contact information of the reporter may be disclosed to the affected technology vendor(s) unless otherwise requested by the reporter. · IOM reserves the right to accept or reject any security vulnerability or cybersecurity issue, or incident disclosure report at its discretion.
If you believe you have found a vulnerability or issue and would like to report it, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept:
The findings, including contact details, should fill out the submission form.
As much information as possible regarding the finding should be communicated to IOM to enable the organization to reproduce and verify the vulnerability, issue, or incident to implement appropriate remediation actions.
Once you submit a report to IOM, please allow the information security team a reasonable amount of time to respond to your report and correct the issue.
If more information is required regarding a reported finding, IOM may contact the reporter; therefore, it is important to provide valid contact details, including email address and/or telephone number.
Upon receipt of the report, IOM will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability.
Once the vulnerability has been removed, the reporter will be acknowledged unless he/she wishes to remain anonymous and listed (at his or her own discretion) on this page with a short description of the vulnerability reported. By reporting vulnerability findings to the IOM, the reporter accepts that such reporting is provided pro bono and without expectation of financial or other compensation. The reporter also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or uses child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not meet the purposes and principles of the United Nations.
IOM Information Security Hall of Fame
IOM is grateful to the following individuals and organizations that have helped the Organization to improve the security of its information systems, data, and ICT resources by reporting security issues and discovered vulnerabilities.
Cyber Security Issue
|NILESH AGARWAL||Password limit issues||24 November 2022|
|xveysel10||Subdomain expired||24 November 2022|
|Selva MuthuKumaran||Clickjacking vulnerability||24 November 2022|
|Ayansh Sinha (CyberDad)||Clickjacking||15 November 2022|
|Ramlal||Clickjacking||15 November 2022|
|Janhavi Sonatkar||Sensitive information exposure||15 November 2022|
|Smriti chandravanshi||Clickjacking||15 November 2022|
|Ramlal||Joomla configuration issues||15 November 2022|
|Shivani Bhavsar||Clickjacking||15 November 2022|
|Chetan||Clickjacking||11 November 2022|
|Rajdip Dey Sarkar||Clickjacking||11 November 2022|
|G Bharath kalyan||Password limit issue||1 November 2022|
|Vijay Vilas Sutar||Clickjacking||28 October 2022|
|Sugumaran J||Login CSRF - Login Authentication Flaw||13 October 2022|
|Karan Rathod||Insecure HTTP request, responses||1 October 2022|
|Harendra Yadav||Cloudflare bypasses||1 October 2022|
|Hrishikesh Sathe||Drupal user enumeration||23 September 2022|
|Parag Bagul||server side request forgery||23 September 2022|
|Parag Bagul||.git file leakage of source code||23 September 2022|
|Satyam Singh||IDOR vulnerability||23 September 2022|
|Satyam Singh||Clickjacking vulnerability||23 September 2022|
|Deepak Dhaka||GIT repository restriction vulnerability||29 August 2022|
|Opinder Singh||Issue: Server-side request forgery||29 August 2022|
|Opinder Singh||No rate limit on Login function||29 August 2022|
|xveysel10 (Bug Hunter)||Directory Listing||29 August 2022|
|Pavan Saxena||No rate limit on Login function||8 August 2022|
|Vishnu Das||Directory Listing||8 August 2022|
|Milan jain||Directory Listing||8 August 2022|
|Rahul Sirvi||Violation of secure design principles||3 August 2022|
|Nikhil Rane||Clickjacking||3 August 2022|
|Harsh Bhanushali||Cross-Site Scripting (XSS)||1 August 2022|
|Vinit Lakra||Stored XSS via File upload||1 August 2022|
|Vinit Lakra||No rate limit on Login function||25 July 2022|
|Vinit Lakra||Port Scan Vulnerabilities||25 July 2022|
|Yash Kushwah||Prototype Pollution||21 July 2022|
|Krishna Agarwal||Authentication Failures||14 July 2022|
|Krishna Agarwal||WordPress Vulnerability||14 July 2022|
|Ethiqal_Sam||Information Exposure Vulnerability||13 July 2022|
|Biswajeet Ray||Text injection (content spoofing) Vulnerability||04 July 2022|
|xveysel10 (Bug Hunter)||Server misconfiguration||29 June 2022|
|xveysel10 (Bug Hunter)||Expired Website||24 June 2022|
|xveysel10 (Bug Hunter)||Service Unavailable - DNS failure subdomain||20 June 2022|
|Ammar "Em" Mu'tashim||Cross-site scripting (XSS) vulnerability||15 June 2022|
|Salusgard||Spring Boot Actuator exposed||13 June 2022|
|xveysel10 (Bug Hunter)||Service Unavailable - DNS failure||9 June 2022|
|xveysel10 (Bug Hunter)||Security certificate expired||9 June 2022|
|xveysel10 (Bug Hunter)||HTTP Error - Failed to load||9 June 2022|
|Ilkin Javadov||Cyber Security Issue: Authentication Bypass||23 May 2022|
|Justakazh||PHPinfo Information Disclosure||17 May 2022|
|Veysel (Bug Hunter)||Subdomain-DNS failure||4 May 2022|
|Francesco Carlucci (OpenCIRT)||Broken access control leads to sensitive data exposure||4 April 2022|
|Toby Davenport||Cross-Site Scripting (XSS) Vulnerability||31 March 2022|
|Toby Davenport||Cross-Site Scripting (XSS) Vulnerability||29 March 2022|
|Nayeem Islam||XML-RPC vulnerability||07 March 2022|
|Fabian Mucke||Disclosed WP database credentials in PHPInfo file||18 February 2022|
|Hydd3n||WordPress Vulnerability||10 January 2022|
|Infoziant Security||WordPress Multiple Vulnerabilities||17 January 2022|
|Guillaume Criloux||IOM’s website with a design flaw and inappropriate images uploaded.||23 December 2021|
|Saeed Jaber - Abugosh||User passwords detected in dark web||20 October 2021|
|Gaurang Maheta||Reported OpenSSH vulnerability||22 July 2021|
01 July 2021
Reported XML-RPC vulnerability
13 June 2021