Report a Cybersecurity Issue

IOM Responsible Vulnerability Disclosure Program (VDP) 

To improve the protection of its Information and Communication Technologies (ICT) systems and assets, IOM encourages the public to assist with its efforts by disclosing vulnerabilities in IOM’s publicly accessible information systems and assets as well as reporting cybersecurity issues. 

What to Report to IOM 

The public is invited to report cybersecurity issues, incidents, and details of vulnerabilities associated with publicly accessible IOM ICT systems, including websites. 

Information on Vulnerability Reporting 

The following should be noted when reporting vulnerabilities and cybersecurity issues and incidents to IOM: 

• The vulnerability and/or cybersecurity issue or incident should not already be publicly disclosed. 
• The vulnerability and/or cybersecurity issue or incident should be reported to IOM as quickly as possible after its discovery. 
• The reporter is expected to keep the vulnerability findings confidential for at least 90 days following the date the vulnerability or cybersecurity issue or incident was reported to IOM or until public disclosure of the vulnerability has been made on this website. 
• The severity of a vulnerability finding is assessed by IOM at its own discretion. 
• The name and contact information of the reporter may be disclosed to the affected technology vendor(s) unless otherwise requested by the reporter.

IOM reserves the right to accept or reject any security vulnerability or cybersecurity issue, or incident disclosure report at its discretion. 

If you believe you have found a vulnerability or issue and would like to report it, we ask that you submit a detailed description of the issue to us, including the steps that we can take to reproduce the issue and/or a proof-of-concept: 

• The findings, including contact details, should fill out the submission form. 

As much information as possible regarding the finding should be communicated to IOM to enable the organization to reproduce and verify the vulnerability, issue, or incident to implement appropriate remediation actions. 

Once you submit a report to IOM, please allow the information security team a reasonable amount of time to respond to your report and correct the issue. 

If more information is required regarding a reported finding, IOM may contact the reporter; therefore, it is important to provide valid contact details, including email address and/or telephone number. 

Upon receipt of the report, IOM will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability. 

Once the vulnerability has been removed, the reporter will be acknowledged unless he/she wishes to remain anonymous and listed (at his or her own discretion) on this page with a short description of the vulnerability reported. By reporting vulnerability findings to the IOM, the reporter accepts that such reporting is provided pro bono and without expectation of financial or other compensation. The reporter also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or uses child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not meet the purposes and principles of the United Nations. 

IOM Information Security Hall of Fame 

IOM is grateful to the following individuals and organizations that have helped the Organization to improve the security of its information systems, data, and ICT resources by reporting security issues and discovered vulnerabilities.

2023

Reporter	Cyber Security Issue	Date
Abdullah Salah Alnbahani	cross-site scripting (XSS)	27 December 2023
Yousif Abbas	HTML Injection	29 November 2023
Bader Majed Almutairi	HTML Injection	16 November 2023
Hassan Ali Al-abdullah	HTML Injection	16 November 2023
Aditya singh	Sensitive Information Disclosure	16 November 2023
Yaqoub Alsarraf	Cross-site Scripting	30 October 2023
Ahliman	SQL Injection	30 October 2023
Shaik Nasreen Fathima	Out-of-date Version	30 October 2023
Shaik Nasreen Fathima	Information Disclosure	30 October 2023
Kartik Garg	Clickjacking	30 October 2023
Ehab Alsharkawy	Information Disclosure	30 October 2023
Ehab Alsharkawy	Out-of-date Version	30 October 2023
Phyo WaThone Win	Email triggering mechanism	30 October 2023
Navreet	Information Disclosure	30 October 2023
Sahil More	Server version disclosure	30 October 2023
Navreet	Cross-Site Scripting	30 October 2023
Navreet	Cross-Site Scripting	19 October 2023
Magashwarahan A	Sensitive Information Disclosure	19 October 2023
Ehab Alsharkawy	Information Disclosure	19 October 2023
Jignesh Vaniya	Out-of-date Version	16 October 2023
Jignesh Vaniya	Vulnerable PHP Version	16 October 2023
HirokiSawada	Cross-Site Scripting	16 October 2023
HirokiSawada	Cross-Site Scripting	16 October 2023
Jignesh Vaniya	Sensitive Data Exposure	5 October 2023
Jignesh Vaniya	OpenSSL Version	5 October 2023
Devansh Chauhan	Prototype pollution	5 October 2023
Kamil Rahuman	Clickjacking	5 October 2023
Cosme Sousa	HTML Injection	5 October 2023
Miguel Segovia	Cross-Site Scripting	25 September 2023
Adrian Tirado Garcia	User Enumeration	25 September 2023
Adrian Tirado Garcia	Visible Detailed Error Page	25 September 2023
Adrian Tirado Garcia	Directory Listing	25 September 2023
Abdullah Salah Alnbahani	Directory Listing	20 September 2023
Ehab Alsharkawy	SQL parameter injection	20 September 2023
Hamoud Mohsen Al-Mutairi	Sensitive Data Exposure	20 September 2023
Shubham Patil	Cross-Site Scripting	20 September 2023
Shubham Patil	Information exposure	20 September 2023
Aman Verma	Cross-Site Scripting	20 September 2023
Shubham Bothra	Cross-site scripting	20 September 2023
Shubham Bothra	user information disclosure	20 September 2023
Shubham Bothra	exposed web services	19 September 2023
Shubham Bothra	info disclosure	19 September 2023
Shubham Bothra	disclosing source code	19 September 2023
Shubham Bothra	file-disclosure vulnerability	19 September 2023
Abdullah Salah Alnbahani	Cross-Site Scripting	19 September 2023
Shiv Pratap Singh	Sensitive File Disclosure	19 September 2023
Shiv Pratap Singh	Prototype Pollution	19 September 2023
Shiv Pratap Singh	Sensitive information exposure	19 September 2023
FAIZ KHAN	Clickjacking	19 September 2023
Aryan Jaiswal	Sensitive Data exposure	19 September 2023
Kamil Rahuman	HTTP Strict Transport Security	29 August 2023
Floris van Trier	Leaking private information	29 August 2023
Floris van Trier	htaccess public	29 August 2023
Floris van Trier	Outdated js library	29 August 2023
Ehab Alsharkawy	PHP info disclosure	29 August 2023
Rock Pratap Singh	Cross-site scripting (XSS)	29 August 2023
Rock Pratap Singh	Information Disclosure	24 August 2023
Milan	clickjacking	1 Aug 2023
Jaser Deli	Remote Code Execution (RCE)	31 July 2023
Fazil A M	Sensitive information Exposure	14 July 2023
Abhishrey Gupta	Clickjacking	14 July 2023
Abhith Damodaran	Sensitive Information Exposure	14 June 2023
Jaser Deli	Cross-Site Scripting	14 June 2023
Ngô Thái An	source code disclosure	14 June 2023
Ngô Thái An	Sensitive Information Exposure	14 June 2023
Pushpraj Patil	Reflected Cross-site Scripting (XSS)	18 May 2023
Yassine Akrachli	PHP information leakage	10 May 2023
Herry(mahetagaurang22)	CPanel information leakage	10 May 2023
Ammar Mu'tashim	Unauthenticated XSS (CISCO)	15 April 2023
Ahmad Atef Abdou	Unauthenticated XSS (CISCO)	15 April 2023
Scott Weston (@WebbinRoot)	WordPress Enumeration Vulnerability	15 April 2023
Scott Weston (@WebbinRoot)	Unauthenticated XSS (CISCO)	15 April 2023
Bharat(mrnoob)	Sensitive Information Exposure (Domain)	15 March 2023
Sumeet Baa	Unauthenticated Arbitrary File Deletion ('Path Traversal')	15 March 2023
Fazil A M	Sensitive Information Exposure	15 February 2023
Solanki Ajay (@i_am_xroot)	Cross Site Scripting (XSS)	13 February 2023
Abdelrahman Ibrahim Farg	Vulnerable Subdomain Takeover	10 February 2023
Fazil A M	Host header injection	17 January 2023
Omar Bark	Host header injection	17 January 2023
Sasi kumar	IP related issues	17 January 2023
Durvesh Kolhe	Clickjacking	4 January 2023
Nguyen Hoang Quoc An	Directory Listing	4 January 2023
Nguyen Khanh Thuan	Security Misconfiguration	4 January 2023
Nguyen Phu Hung	Open Redirection	4 January 2023
xveysel10 (Bug Hunter)	Subdomain Takeover	4 January 2023
Nguyen Khanh Thuan	Cross-Site Scripting (XSS)	4 January 2023

2022

Reporter	Cyber Security Issue	Date
Chetan	Directory listing	12 December 2022
NILESH AGARWAL	Password limit issues	24 November 2022
xveysel10	Subdomain expired	24 November 2022
Selva MuthuKumaran	Clickjacking vulnerability	24 November 2022
Ayansh Sinha (CyberDad)	Clickjacking	15 November 2022
Ramlal	Clickjacking	15 November 2022
Janhavi Sonatkar	Sensitive information exposure	15 November 2022
Smriti chandravanshi	Clickjacking	15 November 2022
Ramlal	Joomla configuration issues	15 November 2022
Shivani Bhavsar	Clickjacking	15 November 2022
Chetan	Clickjacking	11 November 2022
Rajdip Dey Sarkar	Clickjacking	11 November 2022
G Bharath kalyan	Password limit issue	1 November 2022
Vijay Vilas Sutar	Clickjacking	28 October 2022
Sugumaran J	Login CSRF - Login Authentication Flaw	13 October 2022
Karan Rathod	Insecure HTTP request, responses	1 October 2022
Harendra Yadav	Cloudflare bypasses	1 October 2022
Hrishikesh Sathe	Drupal user enumeration	23 September 2022
Parag Bagul	server side request forgery	23 September 2022
Parag Bagul	.git file leakage of source code	23 September 2022
Satyam Singh	IDOR vulnerability	23 September 2022
Satyam Singh	Clickjacking vulnerability	23 September 2022
Deepak Dhaka	GIT repository restriction vulnerability	29 August 2022
Opinder Singh	Issue: Server-side request forgery	29 August 2022
Opinder Singh	No rate limit on Login function	29 August 2022
xveysel10 (Bug Hunter)	Directory Listing	29 August 2022
Pavan Saxena	No rate limit on Login function	8 August 2022
Vishnu Das	Directory Listing	8 August 2022
Milan jain	Directory Listing	8 August 2022
Rahul Sirvi	Violation of secure design principles	3 August 2022
Nikhil Rane	Clickjacking	3 August 2022
Harsh Bhanushali	Cross-Site Scripting (XSS)	1 August 2022
Vinit Lakra	Stored XSS via File upload	1 August 2022
Vinit Lakra	No rate limit on Login function	25 July 2022
Vinit Lakra	Port Scan Vulnerabilities	25 July 2022
Yash Kushwah	Prototype Pollution	21 July 2022
Krishna Agarwal	Authentication Failures	14 July 2022
Krishna Agarwal	WordPress Vulnerability	14 July 2022
Ethiqal_Sam	Information Exposure Vulnerability	13 July 2022
Biswajeet Ray	Text injection (content spoofing) Vulnerability	04 July 2022
xveysel10 (Bug Hunter)	Server misconfiguration	29 June 2022
xveysel10 (Bug Hunter)	Expired Website	24 June 2022
xveysel10 (Bug Hunter)	Service Unavailable - DNS failure subdomain	20 June 2022
Ammar "Em" Mu'tashim	Cross-site scripting (XSS) vulnerability	15 June 2022
Salusgard	Spring Boot Actuator exposed	13 June 2022
xveysel10 (Bug Hunter)	Service Unavailable - DNS failure	9 June 2022
xveysel10 (Bug Hunter)	Security certificate expired	9 June 2022
xveysel10 (Bug Hunter)	HTTP Error - Failed to load	9 June 2022
Ilkin Javadov	Cyber Security Issue: Authentication Bypass	23 May 2022
Justakazh	PHPinfo Information Disclosure	17 May 2022
Veysel (Bug Hunter)	Subdomain-DNS failure	4 May 2022
Francesco Carlucci (OpenCIRT)	Broken access control leads to sensitive data exposure	4 April 2022
Toby Davenport	Cross-Site Scripting (XSS) Vulnerability	31 March 2022
Toby Davenport	Cross-Site Scripting (XSS) Vulnerability	29 March 2022
Nayeem Islam	XML-RPC vulnerability	07 March 2022
Fabian Mucke	Disclosed WP database credentials in PHPInfo file	18 February 2022
Hydd3n	WordPress Vulnerability	10 January 2022
Infoziant Security	WordPress Multiple Vulnerabilities	17 January 2022

2021

Reporter	Cyber Security Issue	Date
Guillaume Criloux	IOM’s website with a design flaw and inappropriate images uploaded.	23 December 2021
Saeed Jaber - Abugosh	User passwords detected in dark web	20 October 2021
Gaurang Maheta	Reported OpenSSH vulnerability	22 July 2021
Gaurang Maheta	SMB-v1 detection	01 July 2021
Gaurang Maheta	Reported XML-RPC vulnerability	13 June 2021