Organized Crime and Corruption Reporting Project (OCCRP; https://www.occrp.org/) is an investigative reporting platform formed by 24 non-profit investigative centers, scores of journalists and several major regional news organizations around the globe, and operated by Journalism Development Network.
Work we've done involves being involved in the original Panama Papers, among many other projects. Because of the work we do security is paramount to us.
The Investigative Dashboard (ID) is a platform of tools and services that help journalists to follow the money and uncover corruption. At it’s core are IDresearch requests, a request tracking mechanism that allows reporters to get help from one of OCCRP’s experienced researchers. Think of it as a bug tracker for corruption.
Of course, many of the requests submitted by reporters pertain to powerful people and companies. They are sensitive in nature and should never be disclosed to unauthorized users of the web site. We have recently re-vamped our request tracking app and switched to an API-driven single-page application.
A charming, hand-woven OIDC integration handles user sign-ups, via the OCCRP Single Sign-in portal (https://secure.occrp.org ).
Vulnerabilities and issues related to this integration are also the focus of this program.
Eligibility and responsible disclosure
* You are responsible for complying with any applicable laws, and you should only use your own accounts or test accounts for reporting vulnerabilities.
* Any vulnerability found must be reported no later than 24 hours after discovery.
* You are not allowed to disclose details about the vulnerability anywhere else.
* You must avoid tests that could cause degradation or interruption of our service.
* You must not leak, manipulate, or destroy any user data.
* You must report a qualifying vulnerability through the BountyFactory reporting Platform
* In case of vulnerabilities that theoretically can put the system out of service OCCRP Tech Team must be contacted prior to this kind of tests to validate the practice and to avoid network attacks and random downtime; OCCRP Tech Team will coordinate a test schedule for those kinds of vulnerabilities
* Logout CSRF
* brute force, DDoS attacks
* HSTS or CSP headers
* Banner or version disclosures.
* Missing cookie flags on non-security sensitive cookies
* Presence of autocomplete attribute on web forms
* Disclosure of known public files or directories, (e.g. robots.txt)
* Missing HTTP security headers
* Use of a known-vulnerable library (without evidence of exploitability)
* Denial of service
* Social engineering (including phishing) of OCCRP staff or contractors
* Any physical attempts against OCCRP property
* Hall Of Fame
* a limited edition T-shirt with OCCRP logo and text "I helped Organized Crime and Corruption Reporting Project be more secure and all I got is this lousy T-shirt"; reported vulnerability does not mean the Hunter automatically wins a t-shirt - OCCRP will evaluate the criticity of the reported vulnerability using CVSS and base the decision to award a T-shirt to a hunter based on that and YesWeHack staff recommendations.
* depending on number and severity of vulnerabilities found, OCCRP will consider other gifts, such as messenger bags, lapel pins/campaign buttons or stickers.
Hall of Fame