WHO COVID-19 Mobile App
This program is for the WHO COVID-19 Mobile App and not for any of WHO's other infrastructure. WHO is grateful to the security researchers that have volunteered their time to keep the app safe and secure for everyone. Please do not test against the production infrastructure but instead use the dedicated hacking server:
```
git clone https://github.com/WorldHealthOrganization/app
cd app/client
flutter run --flavor hack
--flavor hack targets dedicated hack.whocoronavirus.org server```
This Vulnerability Disclosure Program (VDP) covers both the iOS and Android clients (Flutter / Dart) and the server (Google managed services: Firebase, Cloud Storage, Firestore and App Engine / Java).
We believe in transparency about our security, so any valid vulnerabilities discovered have a presumption of public disclosure once confirmed and resolved. At the same time, we’re limited by volunteer capacity, so please be understanding when working with us. As the app is open source on GitHub, we would particularly welcome reports that provide a patch for any fix.
hack.whocoronavirus.org - dedicated server for penetration testing. This domain is maintained by Covantas, LLC on non-WHO infrastructure. This is the preferred system for hacking and you are welcome to break it but please be thoughtful in doing so. Please keep the data in confidence but by design it should not contain any private data. Please no DDOS or other attacks that would run up significant server costs (this requires prior written approval). Low scale fuzzing acceptable. Please see the “Safe Harbor” section below.
*.whocoronavirus.org - other subdomains include staging and QA for developer workflow. Please be more careful here so as not to disrupt ongoing development. All these domains are maintained by Covantas, LLC on non-WHO infrastructure.
Deployment configuration, including firewalls and access control.
3rd party libraries, developer workflow and CI build, credential leaks.
Hardening suggestions. If there isn’t an active vulnerability, please consider sending a public pull request for the improvement. You can also file a report on HackerOne with a link to the Pull Request to receive credit for this.
Security issues that are in the open source codebase but which have not been pushed to a public server. For an active pull request that has not been merged, please publicly comment on the pull request, then post to HackerOne for credit.
who.int website or any other subdomain (VDP is only for the WHO COVID-19 app)
DDOS or similar that drive large server costs (except by prior written arrangement)
Targeted testing or compromise of accounts of WHO staff or open source contributors (e.g. spear phishing, social engineering or physical presence)
Attempted insertion of a vulnerability in the open source codebase of either the WHO COVID-19 app or any of its dependencies. Hardening against this would be welcome
Community engagement channels for the contributors, e.g. video chat, Slack, GitHub and others… except where the channel is meant to be private and security focused
Android and iOS operating systems vulnerabilities, see the “Possible Bug Bounties” section below
Google managed services: App Engine, Firebase and Google Cloud Platform, see the “Possible Bug Bounties” section below
Breaking the hack server - hack.whocoronavirus.org - should not cause a serious problem but please be thoughtful in doing so to avoid disruption for other hackers. Please treat any server data as confidential but by design it shouldn't contain any private data. Please be more careful with the other *.whocoronavirus.org servers as they're used for active development.
Certain vulnerabilities with a working proof of concept on the Android version of the WHO COVID-19 Mobile App may qualify for a bounty through the Google Play Security Reward Program. To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Reward Program’s Scope and Vulnerability Criteria. Please report and resolve the vulnerability first through HackerOne. Given the shared Flutter codebase, a vulnerability on iOS could exist on Android also.
For Google managed services, such as App Engine, Firebase, Google Cloud Platform and others. Please report them to https://g.co/vulnz, where you may be eligible for a reward. For Android vulnerabilities, see the Android Security Rewards Program.
For iOS vulnerabilities, see the Apple Bug Bounty program.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct. The World Health Organization and Covantas, LLC (owners of the *.whocoronavirus.org servers) will not initiate legal action against you under applicable computer use laws on the basis of such activities. Your safest activity is to test only the hack.whocoronavirus.org servers.
The covid19app.who.int production domain is out of scope. No safe harbor applies to this or any other WHO infrastructure including who.int and all other subdomains.
We cannot bind or authorize any activities taken in relation to networks, systems, information, applications, products, or services of any third parties. For the Google Cloud Platform, see their [Reward Program](https://www.google.com/about/appsecurity/reward-program/. Under that program, you should consider *.whocoronavirus.org as an authorized “Third-party websites” subject to the limitations described above.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, the World Health Organization and Covantas, LLC will take steps to make it known that your actions were conducted in compliance with this policy.
We encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:
Follow the Guidelines. Please read and follow the HackerOne Vulnerability Disclosure Guidelines.
Respect user privacy. The WHO COVID-19 app handles important and sensitive information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users. If you encounter any user or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.
Bend, but not break. When testing, use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state than when you uncovered it. The hack.whocoronavirus.org server is the exception where breaking the server is acceptable but please do so in a thoughtful manner.
| Scope Type | Scope Name |
|---|---|
| android_application | org.who.WHOMyHealth |
| ios_application | int.who.WHOMyHealth |
| web_application | hack.whocoronavirus.org |
| web_application | *.whocoronavirus.org |
| web_application | https://github.com/WorldHealthOrganization/app |
| Scope Type | Scope Name |
|---|---|
| web_application | *.who.int |
| web_application | covid19app.who.int |
Firebounty have crawled on 2021-03-29 the program WHO COVID-19 Mobile App on the platform Hackerone.
FireBounty © 2015-2024