Organized Crime and Corruption Reporting Project (OCCRP; https://www.occrp.org/) is an investigative reporting platform formed by 24 non-profit investigative centers, scores of journalists and several major regional news organizations around the globe, and operated by Journalism Development Network. Work we've done involves being involved in the original Panama Papers, among many other projects. Because of the work we do security is paramount to us.
VIsual Investigative Scenarios (VIS; https://vis.occrp.org/) is a data visualization platform designed to assist investigative journalists, activists and others in mapping complex business or crime networks. Its aim is to help investigators understand and explain corruption, organized crime and other wrongdoings and to translate complex narratives into simple, universal visual language.
Eligibility and responsible disclosure:
- You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.
- Any vulnerability found must be reported no later than 24 hours after discovery.
- You are not allowed to disclose details about the vulnerability anywhere else.
- You must avoid tests that could cause degradation or interruption of our service.
- You must not leak, manipulate, or destroy any user data.
- You must report a qualifying vulnerability through the BountyFactory reporting Platform
- In case of vulnerabilities that theoretically can put the system out of service OCCRP Tech Team must be contacted prior to this kind of tests to validate the practice and to avoid network attacks and random downtime; OCCRP Tech Team will coordinate a test schedule for those kinds of vulnerabilities
- Logout CSRF
- brute force, DDoS attacks
- HSTS or CSP headers
- Banner or version disclosures.
- Missing cookie flags on non-security sensitive cookies
- Presence of autocomplete attribute on web forms
- Disclosure of known public files or directories, (e.g. robots.txt)
- Use of a known-vulnerable library without evidence of exploitability
- Denial of service
- Social engineering (including phishing) of OCCRP staff or contractors
- Any physical attempts against OCCRP property
- Hall Of Fame
- a limited edition T-shirt with OCCRP logo and text "I helped Organized Crime and Corruption Reporting Project be more secure and all I got is this lousy T-shirt"; reported vulnerability does not mean the Hunter automatically wins a t-shirt - OCCRP will evaluate the criticity of the reported vulnerability using CVSS and base the decision to award a T-shirt to a hunter based on that and YesWeHack staff recommendations.
- depending on number and severity of vulnerabilities found, OCCRP will consider other gifts, such as lapel pins/campaign buttons or stickers.
- 17/05/2017: VIS put in read-only mode, program put on hiatus in order to fix known critical vulnerabilities
- 18/05/2017: VIS back in read-write mode