IOM Responsible Vulnerability Disclosure Program (VDP) 

To improve the protection of its Information and Communication Technologies (ICT) systems and assets, IOM encourages the public to assist with its efforts by disclosing vulnerabilities in IOM’s publicly accessible information systems and assets as well as reporting cybersecurity issues. 

What to Report to IOM 

The public is invited to report cybersecurity issues, incidents, and details of vulnerabilities associated with publicly accessible IOM ICT systems, including websites. 

Information on Vulnerability Reporting 

The following should be noted when reporting vulnerabilities and cybersecurity issues and incidents to IOM: 

  • The vulnerability and/or cybersecurity issue or incident should not already be publicly disclosed. 
  • The vulnerability and/or cybersecurity issue or incident should be reported to IOM as quickly as possible after its discovery. 
  • The reporter is expected to keep the vulnerability findings confidential for at least 90 days following the date the vulnerability or cybersecurity issue or incident was reported to IOM or until public disclosure of the vulnerability has been made on this website. 
  • The severity of a vulnerability finding is assessed by IOM at its own discretion. 
  • The name and contact information of the reporter may be disclosed to the affected technology vendor(s) unless otherwise requested by the reporter.

IOM reserves the right to accept or reject any security vulnerability or cybersecurity issue, or incident disclosure report at its discretion. 

If you believe you have found a vulnerability or issue and would like to report it, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept: 

  • The findings, including contact details, should fill out the submission form. 

As much information as possible regarding the finding should be communicated to IOM to enable the organization to reproduce and verify the vulnerability, issue, or incident to implement appropriate remediation actions. 

Once you submit a report to IOM, please allow the information security team a reasonable amount of time to respond to your report and correct the issue. 

If more information is required regarding a reported finding, IOM may contact the reporter; therefore, it is important to provide valid contact details, including email address and/or telephone number. 

Upon receipt of the report, IOM will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability. 

Once the vulnerability has been removed, the reporter will be acknowledged unless he/she wishes to remain anonymous and listed (at his or her own discretion) on this page with a short description of the vulnerability reported. By reporting vulnerability findings to the IOM, the reporter accepts that such reporting is provided pro bono and without expectation of financial or other compensation. The reporter also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or uses child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not meet the purposes and principles of the United Nations. 

IOM Information Security Hall of Fame 

IOM is grateful to the following individuals and organizations that have helped the Organization to improve the security of its information systems, data, and ICT resources by reporting security issues and discovered vulnerabilities.

 

Reporter

Cyber Security Issue 

Date 
Bader Majed Almutairi Security Issue: HTML Injection 16 November 2023
Hassan Ali Al-abdullah Security Issue: HTML Injection 16 November 2023
Aditya singh Sensitive Information Disclosure 16 November 2023
Yaqoub Alsarraf Cross-site Scripting 30 October 2023
Ahliman SQL Injection 30 October 2023
Shaik Nasreen Fathima Out-of-date Version 30 October 2023
Shaik Nasreen Fathima Information Disclosure 30 October 2023
Kartik Garg Clickjacking 30 October 2023
Ehab Alsharkawy Information Disclosure 30 October 2023
Ehab Alsharkawy Out-of-date Version 30 October 2023
Phyo WaThone Win Email triggering mechanism 30 October 2023
Navreet Information Disclosure 30 October 2023
Sahil More Server version disclosure 30 October 2023
Navreet Cross-Site Scripting 30 October 2023
Navreet Cross-Site Scripting 19 October 2023
Magashwarahan A Sensitive Information Disclosure 19 October 2023
Ehab Alsharkawy Information Disclosure 19 October 2023
Jignesh Vaniya Out-of-date Version 16 October 2023
Jignesh Vaniya Vulnerable PHP Version 16 October 2023
HirokiSawada Cross-Site Scripting 16 October 2023
HirokiSawada Cross-Site Scripting 16 October 2023
Jignesh Vaniya Sensitive Data Exposure 5 October 2023
Jignesh Vaniya OpenSSL Version 5 October 2023
Devansh Chauhan Prototype pollution 5 October 2023
Kamil Rahuman Clickjacking 5 October 2023
Cosme Sousa HTML Injection 5 October 2023
Miguel Segovia Cross-Site Scripting 25 September 2023
Adrian Tirado Garcia User Enumeration 25 September 2023
Adrian Tirado Garcia Visible Detailed Error Page 25 September 2023
Adrian Tirado Garcia Directory Listing 25 September 2023
Abdullah Salah Alnbahani Directory Listing 20 September 2023
Ehab Alsharkawy SQL parameter injection 20 September 2023
Hamoud Mohsen Al-Mutairi Sensitive Data Exposure 20 September 2023
Shubham Patil Cross-Site Scripting 20 September 2023
Shubham Patil Information exposure 20 September 2023
Aman Verma Cross-Site Scripting 20 September 2023
Shubham Bothra Cross-site scripting 20 September 2023
Shubham Bothra user information disclosure 20 September 2023
Shubham Bothra exposed web services 19 September 2023
Shubham Bothra info disclosure 19 September 2023
Shubham Bothra disclosing source code 19 September 2023
Shubham Bothra file-disclosure vulnerability 19 September 2023
Abdullah Salah Alnbahani Cross-Site Scripting 19 September 2023
Shiv Pratap Singh Sensitive File Disclosure 19 September 2023
Shiv Pratap Singh Prototype Pollution 19 September 2023
Shiv Pratap Singh Sensitive information exposure 19 September 2023
FAIZ KHAN Clickjacking 19 September 2023
Aryan Jaiswal Sensitive Data exposure 19 September 2023
Kamil Rahuman HTTP Strict Transport Security 29 August 2023
Floris van Trier Leaking private information 29 August 2023
Floris van Trier htaccess public 29 August 2023
Floris van Trier Outdated js library 29 August 2023
Ehab Alsharkawy PHP info disclosure 29 August 2023
Rock Pratap Singh Cross-site scripting (XSS) 29 August 2023
Rock Pratap Singh Information Disclosure 24 August 2023
Milan clickjacking 1 Aug 2023
Jaser Deli Remote Code Execution (RCE) 31 July 2023
Fazil A M Sensitive information Exposure 14 July 2023
Abhishrey Gupta Clickjacking 14 July 2023
Abhith Damodaran Sensitive Information Exposure 14 June 2023
Jaser Deli Cross-Site Scripting 14 June 2023
Ngô Thái An source code disclosure 14 June 2023
Ngô Thái An Sensitive Information Exposure 14 June 2023
Pushpraj Patil Reflected Cross-site Scripting (XSS) 18 May 2023
Yassine Akrachli PHP information leakage 10 May 2023
Herry(mahetagaurang22) CPanel information leakage 10 May 2023
Ammar Mu'tashim Unauthenticated XSS (CISCO) 15 April 2023
Ahmad Atef Abdou Unauthenticated XSS (CISCO) 15 April 2023
Scott Weston (@WebbinRoot) WordPress Enumeration Vulnerability 15 April 2023
Scott Weston (@WebbinRoot) Unauthenticated XSS (CISCO) 15 April 2023
Bharat(mrnoob) Sensitive Information Exposure (Domain) 15 March 2023
Sumeet Baa Unauthenticated Arbitrary File Deletion ('Path Traversal') 15 March 2023
Fazil A M Sensitive Information Exposure 15 February 2023
Solanki Ajay (@i_am_xroot) Cross Site Scripting (XSS) 13 February 2023
Abdelrahman Ibrahim Farg Vulnerable Subdomain Takeover 10 February 2023
Fazil A M Host header injection 17 January 2023
Omar Bark Host header injection 17 January 2023
Sasi kumar IP related issues 17 January 2023
Durvesh Kolhe Clickjacking 4 January 2023
Nguyen Hoang Quoc An Directory Listing 4 January 2023
Nguyen Khanh Thuan Security Misconfiguration 4 January 2023
Nguyen Phu Hung Open Redirection 4 January 2023
xveysel10 (Bug Hunter) Subdomain Takeover 4 January 2023
Nguyen Khanh Thuan Cross-Site Scripting (XSS) 4 January 2023
2022

Reporter

Cyber Security Issue 

Date 
Chetan Directory listing 12 December 2022
NILESH AGARWAL Password limit issues 24 November 2022
xveysel10 Subdomain expired 24 November 2022
Selva MuthuKumaran Clickjacking vulnerability 24 November 2022
Ayansh Sinha (CyberDad) Clickjacking 15 November 2022
Ramlal Clickjacking 15 November 2022
Janhavi Sonatkar Sensitive information exposure 15 November 2022
Smriti chandravanshi Clickjacking 15 November 2022
Ramlal Joomla configuration issues 15 November 2022
Shivani Bhavsar Clickjacking 15 November 2022
Chetan Clickjacking 11 November 2022
Rajdip Dey Sarkar Clickjacking 11 November 2022
G Bharath kalyan Password limit issue 1 November 2022
Vijay Vilas Sutar Clickjacking 28 October 2022
Sugumaran J Login CSRF - Login Authentication Flaw 13 October 2022
Karan Rathod Insecure HTTP request, responses 1 October 2022
Harendra Yadav Cloudflare bypasses 1 October 2022
Hrishikesh Sathe Drupal user enumeration 23 September 2022
Parag Bagul server side request forgery 23 September 2022
Parag Bagul .git file leakage of source code 23 September 2022
Satyam Singh IDOR vulnerability 23 September 2022
Satyam Singh Clickjacking vulnerability 23 September 2022
Deepak Dhaka GIT repository restriction vulnerability 29 August 2022
Opinder Singh Issue: Server-side request forgery 29 August 2022
Opinder Singh No rate limit on Login function 29 August 2022
xveysel10 (Bug Hunter) Directory Listing 29 August 2022
Pavan Saxena No rate limit on Login function 8 August 2022
Vishnu Das Directory Listing 8 August 2022
Milan jain Directory Listing 8 August 2022
Rahul Sirvi Violation of secure design principles 3 August 2022
Nikhil Rane Clickjacking 3 August 2022
Harsh Bhanushali Cross-Site Scripting (XSS) 1 August 2022
Vinit Lakra Stored XSS via File upload 1 August 2022
Vinit Lakra No rate limit on Login function  25 July 2022
Vinit Lakra Port Scan Vulnerabilities 25 July 2022
Yash Kushwah Prototype Pollution 21 July 2022
Krishna Agarwal Authentication Failures 14 July 2022
Krishna Agarwal WordPress Vulnerability 14 July 2022
Ethiqal_Sam Information Exposure Vulnerability 13 July 2022
Biswajeet Ray Text injection (content spoofing) Vulnerability 04 July 2022
xveysel10 (Bug Hunter) Server misconfiguration 29 June 2022
xveysel10 (Bug Hunter) Expired Website 24 June 2022
xveysel10 (Bug Hunter) Service Unavailable - DNS failure subdomain 20 June 2022
Ammar "Em" Mu'tashim Cross-site scripting (XSS) vulnerability 15 June 2022
Salusgard Spring Boot Actuator exposed 13 June 2022
xveysel10 (Bug Hunter) Service Unavailable - DNS failure 9 June 2022
xveysel10 (Bug Hunter) Security certificate expired 9 June 2022
xveysel10 (Bug Hunter) HTTP Error - Failed to load 9 June 2022
Ilkin Javadov Cyber Security Issue: Authentication Bypass 23 May 2022
Justakazh PHPinfo Information Disclosure 17 May 2022
Veysel (Bug Hunter) Subdomain-DNS failure 4 May 2022
Francesco Carlucci (OpenCIRT) Broken access control leads to sensitive data exposure 4 April 2022
Toby Davenport Cross-Site Scripting (XSS) Vulnerability 31 March 2022
Toby Davenport Cross-Site Scripting (XSS) Vulnerability 29 March 2022
Nayeem Islam XML-RPC vulnerability 07 March 2022
Fabian Mucke Disclosed WP database credentials in PHPInfo file 18 February 2022
Hydd3n WordPress Vulnerability 10 January 2022
Infoziant Security WordPress Multiple Vulnerabilities 17 January 2022
2021

Reporter

Cyber Security Issue 

Date 
Guillaume Criloux IOM’s website with a design flaw and inappropriate images uploaded. 23 December 2021
Saeed Jaber - Abugosh User passwords detected in dark web 20 October 2021
Gaurang Maheta Reported OpenSSH vulnerability 22 July 2021

Gaurang Maheta 

SMB-v1 detection 

01 July 2021 

Gaurang Maheta 

Reported XML-RPC vulnerability 

13 June 2021