UN Information Security Hall of Fame

To improve the protection of its Information Communications Technology resources, the United Nations encourages the public to assist with its efforts by disclosing vulnerabilities in the United Nations’ publicly accessible information system.
Following are individuals and organizations that helped the United Nations in improving the security of the Organization's systems, data, and ICT resources by reporting security issues and vulnerabilities discovered.

 

 
United Nations Responsible Disclosure and Reporter Acknowledgment Policy

To improve the protection of its Information Communications Technology resources, the United Nations encourages the public to assist with its efforts by disclosing vulnerabilities in the United Nations’ publicly accessible information system. The manner by which such assistance may be made available to the United Nations is set forth below.

 
What to Report to the United Nations

Security incidents and details of vulnerabilities associated with publically accessible United Nations (UN) Information Communications Technology resources, including websites.

Out of scope vulnerabilities include the following:

  • Clickjacking on pages with no sensitive actions or no authenticated actions
  • XMLRPC.PHP with no admin page exposed to the Internet
  • Software version disclosure/Banner identification issues
  • Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records etc.)
  • Missing best practices in SSL/TLS configuration
  • Any activity that could lead to the disruption of our service (DoS)
  • Open redirect – unless an additional security impact can be demonstrated
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
 
Vulnerability Reporting Policy:

The UN will accept disclosures of vulnerabilities under the following conditions:

  1. The vulnerability has not already been publically disclosed.
  2. The vulnerability should be reported to the UN as quickly as possible after its discovery.
  3. The vulnerability findings must remain confidential for at least 90 days following the date the vulnerability was reported to the UN or until public disclosure of the vulnerability has been made on this website.
  4. The severity of a vulnerability finding is assessed by the UN at its own discretion.
  5. The name and contact information of the reporter may be disclosed to affected technology vendor(s) unless otherwise requested by the reporter.

The UN reserves the right to accept or reject any security vulnerability disclosure report at its discretion.

 

Individuals or entities who wish to report security vulnerability should follow the procedures set forth below:

  • Findings, including contact details, should be sent to infosec@un.org
  • The findings should be communicated using PGP encrypted messages using the public key (PGP Fingerprint: A001 EB04 2D38 7016 EEA8 CC54 798E 86D7 6B9A A810) available on this website.
  • As much information as possible regarding the finding should be communicated to the UN to enable the Organization to reproduce and verify the vulnerability, in order to implement appropriate remediation actions.
  • The vulnerability findings must remain confidential for at least 90 days following the date the vulnerability was reported to the UN or until public disclosure of the vulnerability has been made on this website.

If more information is required regarding a reported vulnerability, the UN may contact the reporter; therefore it is important to provide valid contact details, including email address and/or telephone number.

If the conditions listed above are satisfied, the UN will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability.

Once the vulnerability has been removed, the reporter will be acknowledged unless he/she wishes to remain anonymous, and listed (at his or her own discretion) on this page with a short description of the vulnerability reported.

By reporting vulnerability findings to the UN, the reporter acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation. The reporter also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or use child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not meet the purposes and principles of the United Nations. 

 

 

Hall of Fame

Krish Pandey

Reported XSS vulnerability on unep.org
16 April 2022

Nilabh Rajpoot

Reported security misconfiguration vulnerability on un.org
6 April 2022

Upasana Bohra

Reported security misconfiguration vulnerability on un.org
29 March 2022

Abhith Damodaran

Reported XSS vulnerability on un.org
21 March 2022

Debprasad Banerjee-FAPS

Reported security misconfiguration on un.org
16 March 2022

Jyoti Agarwal(Mikasa)

Reported security misconfiguration vulnerability on unvienna.org
8 March 2022

Raju Basak

Reported security misconfiguration vulnerability on unvienna.org
3 February 2022

Amit Pathak (4M17)

Reported security misconfiguration vulnerability on unep.org
28 January 2022

Chandan Banawade

Reported clickjacking vulnerability on unep.org
25 January 2022

Anurag Verma

Reported information disclosure vulnerability on unvienna.org
23 January 2022

Joshua Arulsamy

Reported XSS vulnerability on un.org
19 January 2022

Yash Devkate

Reported a Security Misconfiguration vulnerability and Directory Listing Vulnerability on unep.org
19 January 2022

Sajjad Shariati

Reported a Security Misconfiguration vulnerability on un.org
16 January 2022

Eslam Mohamed

Reported SDE vulnerability on un.org
14 January 2022

Md. Shahriar Alam Shaon

Reported XSS vulnerability on humdata.org
13 January 2022

Vishal Vishwakarma

Reported SDE vulnerability on unescap.org
7 January 2022

Sandeep Kambhampati

Reported security misconfiguration vulnerability on ohchr.org
5 January 2022