Vulnerability Hall of Fame

WHO is committed to protecting the privacy and security of its people, processes, and IT solutions. Our Vulnerability Hall of Fame is intended to minimize the risk and impact of cybersecurity vulnerabilities that hackers seek to exploit for malicious purposes.

WHO responsible disclosure and reporter acknowledgment policy

To continuously improve the protection of information technology and digital assets, we encourage the public to assist our efforts by disclosing cybersecurity vulnerabilities in WHO publicly accessible information systems.

What to report to WHO (qualifying vulnerabilities)

Technical details of cybersecurity vulnerabilities associated with publicly accessible WHO digital assets. We are open to accepting any valid in-scope vulnerability, but we are especially interested in the following vulnerabilities:

  • OS Shell Execution (Remote Code Execution, Code Injection, OS Command Injection);
  • SQL Injection (Inband SQLi, Blind SQLi);
  • Server-Side Request Forgery (Unrestricted SSRF), Content-Restricted SSRF, Error-based SSRF (true/false), Blind SSRF;
  • Insecure direct object references (IDOR) (Horizontal Privilege Escalation, Vertical Privilege Escalation)  ̶  limited to web applications only using non-WHO accounts;
  • Improper Restriction of XML External Entity Reference (XXE);
  • Uncontrolled Format String (Insecure Deserialisation);
  • Inconsistent interpretation of HTTP Requests (HTTP Request Smuggling);
  • Inclusion of Functionality from Untrusted Control Sphere (Server Side Includes Injection, Local File Inclusion, Directory Traversal);
  • Missing Authentication for Critical Function (Exposed Administrative Interface);
  • Information Exposure (Exposure of PII, Credentials on GitHub, Confidential Information Exposure);
  • Incorrect Authorization (Authorization Bypass, Account Takeover);
  • Cross-Site Scripting (Stored, Reflected, DOM);
  • Cross-Site Request Forgery (State-Changing CSRF, Non-State-Changing CSRF); and
  • CRLF Injection.

 

What NOT to report to WHO (non-qualifying vulnerabilities)

Vulnerabilities considered out of scope:

  • User account enumeration;
  • Cookie Not Marked as HttpOnly;
  • Cookie Not Marked as Secure;
  • Missing HTTP security headers;
  • Software version disclosure/banner identification;
  • Missing best practices in SSL/TLS configuration;
  • Open redirect: the actual security impact must be demonstrated
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions;
  • Any activity that could lead to the disruption of service (DoS);
  • xmlrpc.php with no admin page exposed to the Internet;
  • Missing email best practices (invalid, incomplete, or missing SPF/DKIM/DMARC records etc);
  • Missing rate limits, unless it can lead to account takeover;
  • Use of a known vulnerable library (without evidence of exploitability);
  • Social engineering attacks; and
  • Reports from automated tools or scans.

 

Vulnerability reporting rules

WHO will accept disclosures of vulnerabilities under the conditions noted below:

  • the vulnerability has not already been publicly disclosed;
  • the vulnerability should be reported to WHO as quickly as possible after its discovery;
  • the vulnerability findings must remain confidential for at least 90 days following the report to WHO or until public disclosure of the vulnerability has been made on this website;
  • WHO assesses the severity of a vulnerability finding at its discretion;
  • the name and contact information of the reporter may be disclosed to the affected technology vendor(s) unless otherwise requested by the reporter;
  • WHO reserves the right to accept or reject any cybersecurity vulnerability disclosure report;
  • you must be the “first reporter”. Please understand that we have an active cybersecurity team that does regular internal vulnerability testing. If they happen to file the same issue before you, they will count as the “first reporter” and your report will be considered a duplicate;
  • do not DDoS or otherwise attack us in a way that would disrupt service for the public, and
  • do not attempt to access private data or user accounts.

Individuals or entities who wish to report vulnerabilities should follow the steps below:

  • vulnerability findings, technical reports, and contact details must be sent to vulnerability@who.int;
  • the findings should be communicated using PGP encrypted messages using the public key (PGP Fingerprint: 495F0D75595840ADF81D8ED8ECF53C5C3A0F8BC6) available on this website;
  • as much technical information regarding the vulnerability should be communicated to WHO to enable us to reproduce and verify the vulnerability so remediation actions can be taken; and
  • the vulnerability findings must remain confidential for at least 90 days following the report to WHO or until public disclosure of the vulnerability has been made on this website.

If more information is required regarding a reported vulnerability, WHO may contact the reporter; therefore, it is essential to provide valid contact details, including an email address and telephone number. If the conditions listed above are satisfied, WHO will verify the existence of the vulnerability, notify affected parties, and implement actions to remediate the vulnerability.

Once the vulnerability has been remediated, the reporter will be acknowledged unless they wish to remain anonymous and listed (at their discretion) on this website with a brief description of the vulnerability reported and a link to either their LinkedIn or Twitter profile.

By reporting vulnerability findings to WHO, the reporter acknowledges that such reporting is provided pro bono without expectation of financial or other compensation.

The reporter also affirms that neither they nor any entity that they represent is complicit in human rights abuses, tolerates forced or compulsory labour or use of child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not meet the purposes and principles of the United Nations and WHO.

Note: The content of this web page is inspired by the UN Hall of Fame — see links below.

https://unite.un.org/content/hall-fame

https://unite.un.org/content/hall-fame/list

 

Cyber security
Beware of criminals pretending to be WHO.

Ethical hacker list

Ajit Bhatta
Reported Cross-Site Scripting (XSS) on iarc.who.int
7 April 2024

Dhivish Varshan
Reported Sensitive Information Disclosure on who.int
6 April 2024

Prial Islam
Reported Subdomain Takeover on healthbottest.who.int
26 February 2024

Vinayak Sakhare
Reported Sensitive Information Disclosure on jor-imap.emro.who.int
22 February 2024

Vincent Yiu
Reported Sensitive Information Disclosure on WHO GitHub
9 July 2020

 

News

6 February 2024
Departmental update

WHO reports outline responses to cyber-attacks on health care and the rise of disinformation in public health emergencies
23 April 2020
News release

WHO reports fivefold increase in cyber attacks, urges vigilance