Vulnerability Disclosure Program

Vulnerability Disclosure and Reporting Guidelines

The World Bank Group encourages the public to assist and support the World Bank Group in its continuous efforts to improve the protection and security of the World Bank Group’s publicly accessible information systems, by reporting any vulnerabilities. The below guidelines (the “VDR Guidelines”) explain how the World Bank Group works with reporters of such vulnerabilities (each a “Reporter”).

What to Report to World Bank Group:

Security incidents and details of vulnerabilities associated with publicly accessible World Bank Group resources, including websites.

Do’s and Don’ts:

  • Treat any vulnerabilities pertaining to World Bank Group information systems that you may have detected as sensitive and strictly confidential information.
  • Do not attempt to compromise the confidentiality, integrity, and availability of our services/employee personal information/ World Bank Group confidential information.
  • Do not publicly disclose a bug either before or after it has been fixed. For clarity, public disclosure means disclosure to anyone, even including but not limited to private "Hacker" websites and forums, social media platforms, blogs, or any other type of public disclosure.
  • Do not upload information about the vulnerability on any site. This includes your restriction to upload posts, videos on YouTube, Vimeo, Twitter, etc.,
  • Do not attempt to gain access to employee accounts or data.
  • Do not run automated scanners.
  • Do not perform any attack that could harm the reliability/integrity of our services or data.
  • DDoS/spam attacks are not allowed.
  • Do not disrupt production systems or destroy data during security testing.
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Perform research only within the scope set out in this Policy.
  • Use the email specified in the “Reporting a vulnerability” section to report vulnerability information to us.
  • Collect only the information necessary to demonstrate the vulnerability.
  • Do not store, share, compromise or destroy any World Bank Group information while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify us.

If you fulfill these requirements, World Bank Group will:

  • Work with you to understand and resolve the issue.
  • Acknowledge and keep you informed at every stage of the process.

Reporting a vulnerability

If you have discovered something you believe to be an in-scope security vulnerability, you should follow the procedure:

  • The findings, including contact details, should be sent to vdp@worldbankgroup.org
  • As much information as possible regarding the finding should be communicated to World Bank Group to enable it to reproduce and verify the vulnerability, in order to implement appropriate remediation actions.
  • The vulnerability findings must remain confidential.

If more information is required regarding a reported vulnerability, World Bank Group may contact the Reporter; therefore, it is important to provide valid contact details, including email address and/or telephone number.

If the conditions listed above are satisfied, World Bank Group will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability.

Once the vulnerability has been removed, the Reporter will be acknowledged via email unless he/she wishes to remain anonymous.

By reporting vulnerability findings to World Bank Group, the Reporter acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation, subject to this Policy. 

Any findings that do not show an impact to the user or application will not be accepted.

We will only recognize the first reporter of a valid vulnerability and duplicates will not be considered. Also, the same vulnerability that occurs in multiple areas across the same/different application will be considered as one vulnerability.

Accountability

World Bank Group reserves the right to accept or reject any security vulnerability disclosure report at its discretion.

Contact

For any questions about responsible disclosure of results for a submission, please contact us at vdp@worldbankgroup.org

Out of Scope

The following are considered outside the scope of this Policy:

  • Social Engineering (e.g., attempts to steal cookies, fake login pages to collect credentials)
  • Html injection, Self-XSS & XSS that doesn't make any impact
  • Host header and banner grabbing issues
  • Automated tool scan reports. (Example: Web, SSL/TLS scan, Nmap scan results, etc.,) without a PoC to demonstrate a specific vulnerability.
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack
  • Login/logout CSRF
  • CSRF on unauthenticated forms or forms with no sensitive actions
  • Session invalidation or other improved security related to account management when a credential is already known (e.g., Cookie expiration, password reset link does not immediately expire, adding MFA does not expire other sessions, sessions valid after password change/reset etc.)
  • Email Spoofing
  • Same Site Scripting
  • Unrestricted file upload (without evidence of exploitability)
  •  Open redirect - unless an additional security impact can be demonstrated
  • SaaS applications, even if published under the worldbank.org domain.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Formula/Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Broken Link Hijacking without demonstrating an attack
  • Attacks requiring MITM or physical access to a user's device.
  • User enumeration such as User email, User ID, etc.,
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC) Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities found in third-party services
  • EXIF data not stripped on images
  • Any activity that could lead to the disruption of our service (DoS)
  • Able to retrieve user's public information
  • Tabnabbing
  • CSP Weaknesses
  • Weak Captcha / Captcha bypass
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Information Exposure from Public Sources
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Password Token Not Expired / Password Token Leaking to 3rd party Sites
  • No password length or Long Password Upon Sign-up / Password Re-Use
  • Concurrent Sessions / Number of Parallel Sessions
  • Best practices concerns
  • Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
  • Exposed login panels without an accompanying proof-of-concept demonstrating a vulnerability or path of exploitation
  • Clickjacking on pages with no sensitive actions.
  • Any Zero Day vulnerabilities disclosed within the last 30 days.
  • Reports on third-party products, services, or applications not owned by World Bank Group