Responsible Disclosure

The point of contact is security@occrp.org, PGP/GPG fingerprint: 8AA2 D5B4 A0B5 B3DA E547 238C 5237 8B24 FB18 D161.

Rules

• When you are creating an evaluation account for research purposes, please add the “bugbounty_” prefix to the username of your evaluation account. Only applies for systems that allow user signup for evaluation purposes.
• If you stumble upon sensitive information, such as personal information, credentials, etc., during the assessment; do not save, copy, store, transfer, disclose, or otherwise retain the data or personal information.
• Do not perform social engineering, phishing, and physical security attacks against offices, users, or employees.
• Stay within the scope of the responsible disclosure program.
• Be respectful when you are interacting with our team.
• If you do not follow the rules, you may be banned from the responsible disclosure program.
• We reserve the right to modify the rules for this program or deem any submissions invalid at any time. We may cancel the responsible disclosure program without notice at any time.
• Please report to security@occrp.org and do not open issues on Github or other public channels.

What is in scope?

• Services available at occrp.org and *.occrp.org, including aleph.occrp.org
• Supported versions of the Aleph open-source software published in the GitHub source code repository

Please do not report:

• Attacks requiring DNS takeover
• Clickjacking without demonstration of impact
• Denial of Service vulnerabilities by using an overload of processing power or requests
• Mail relay server configuration issues
• Missing/loosely configured DNS SPF records
• Missing DNSSEC
• Missing Public Key Pinning headers
• Self-XSS
• Software version disclosure
• XSS requiring legacy browsers

What to expect

• Please send information about security issues to security@occrp.org.
• Please allow up to 5 working days for us to contact you.
• We will coordinate with you on the advisory and security fix release date.

Disclosure

This program allows responsible disclosure and we will work with you if you want to publish a blogpost.

Compensation

As a non-profit we are sadly unable to offer any compensation for disclosed security issues. We will however gladly give credit to anyone responsibly disclosing a security issue to us.

We would like to thank all organizations and hackers who helped us, our colleagues, and our sources stay safe and secure by responsibly disclosing security issues affecting our services.