Responsible Disclosure

The Organized Crime and Corruption Reporting Project works with dozens of investigative journalism organizations and hundreds of journalists around the globe. Security of our sources and colleagues is our top priority.

All software has bugs. We run a number of websites and services, adding up to millions of lines of code. While we strive to test and secure them as well as possible, our resources are limited. That is why we highly appreciate any responsibly disclosed information regarding potential vulnerabilities or security issues with our services.

Responsible disclosure policy

When disclosing security issues to us, please follow RFPolicy 2.0.
The point of contact is security@occrp.org, PGP/GPG fingerprint:
8AA2 D5B4 A0B5 B3DA E547 238C 5237 8B24 FB18 D161

In short:

As a non-profit we are sadly unable to offer any compensation for disclosed security issues. We will however gladly give credit to annyone responsibly disclosing a security issue to us.

Hall of fame

We would like to thank all organizations and hackers who helped us, our colleagues, and our sources stay safe and secure by responsibly disclosing security issues affecting our services.

5P3C73R

affiliation: IT researcher from YesWeHack's BountyFactory.io

Reported, as part of the BountyFactory program for OCCRP, a security-related caching issue in VIS.

Baptiste Cauvin

Reported, as part of the BountyFactory program for OCCRP, an XSS vulnerability in VIS.

Gromak123

affiliation: IT researcher from YesWeHack's BountyFactory.io

Reported, as part of the BountyFactory program for OCCRP, an LFI vulnerability in VIS.

Savan

Reported a misconfiguration allowing to perform a clickjacking attack.

Sajibe Kanti

Reported a number of misconfiguration issues in OCCRP's Secure Sign-in that could in certain very specific circumstances lead to limited unauthorized information disclosure.

SaxX

affiliation: IT researcher from YesWeHack's BountyFactory.io

Reported, as part of the BountyFactory program for OCCRP, a number of misconfiguration issues in Investigative Dashboard, including sensitive information leak.

BZHash

affiliation: IT researcher from YesWeHack's BountyFactory.io

Reported, as part of the BountyFactory program for OCCRP, a number of misconfiguration issues in Investigative Dashboard, including sensitive information leak.

joker2a

affiliation: IT researcher from YesWeHack's BountyFactory.io

Reported, as part of the BountyFactory program for OCCRP, a number of misconfiguration issues in Investigative Dashboard.

onemore

affiliation: YesWeHack

Reported, as part of the BountyFactory program for OCCRP, a number of security issues in VIS, including XSS, CSRF, and RCE vulnerabilities.

thomas__

affiliation: YesWeHack

Reported, as part of the BountyFactory program for OCCRP, a number of security issues in VIS, including an XSS vulnerability.

Special Thanks