UNICEF Information Security Hall of Fame

Securing our digital assets

Scope

In-scope

We welcome vulnerability reports for the following UNICEF assets:

  • Websites and web applications (domains ending in unicef.org)
  • Mobile applications (iOS and Android)
  • APIs and web services
  • Cloud infrastructure and deployments

Out-of-scope

The following are considered out of scope for this program:

  • Third-party services or applications not owned by UNICEF
  • Social engineering attacks
  • Physical security issues
  • Denial of Service (DoS) vulnerabilities
  • Brute force attacks
  • Reports of spam or phishing campaigns
  • Vulnerabilities requiring physical access to a user's device
  • Publicly available files with no sensitive information
  • Missing best practices in SSL/TLS configuration

Please note that UNICEF reserves the right to accept or reject any security vulnerability disclosure report at its discretion.

To report vulnerabilities affecting other UN entities, please refer to the UN Information Security Hall of Fame.

UNICEF’s Responsible Disclosure Policy 

UNICEF is committed to protecting children worldwide, and that commitment extends to securing our digital assets to strengthen the protection of our Information and Communications Technology infrastructure, UNICEF actively encourages the global security community to partner with us by responsibly disclosing vulnerabilities in our publicly accessible information systems.

We deeply value the expertise and contributions of security researchers in identifying potential security issues. This collaborative approach allows us to continuously improve our security posture and better safeguard our mission of helping children around the world.

This site provides guidelines for security researchers conducting vulnerability research and reporting, while also recognizing those who have made valuable contributions to our security efforts. Together, we can ensure that UNICEF's digital resources remain secure, allowing us to focus on what matters most — improving the lives of children everywhere.

Safe harbor

We follow safe harbor principles for security researchers who:

  • Make good faith efforts to avoid privacy violations, destruction of data, and interruption or degradation of our services. This includes limiting access to sensitive data - if researchers discover a vulnerability allowing access to sensitive data, they may access a minimal amount necessary to verify findings, but must not download complete datasets
  • Only interact with accounts they own or with explicit permission of the account holder
  • Do not exploit a security issue they discover for any reason beyond verification
  • Report vulnerabilities directly to us as soon as possible after its discovery
  • Keep information about any vulnerabilities confidential until they have been resolved

As long as you comply with this policy:

  • We will not initiate legal action related to your research
  • We will work with you to understand and resolve the issue quickly
  • We will recognize your contribution if requested

Recognition

Upon security researchers’ request, we can acknowledge contributions in our hall of fame, which includes:

  • Researcher's name or handle (as preferred)
  • Description of the vulnerability (with appropriate redactions)
  • Date of report and resolution

Reporting process

How to submit a report

Please submit vulnerability reports via email to [email protected] with the subject line "Vulnerability Report: [Brief Description]".

Your report should include:

  • Clear description of the vulnerability
  • Steps to reproduce and including screenshots and any tools used
  • Potential impact of the vulnerability
  • Time frame during which the testing took place
  • Any supporting materials (proof of concept code, etc.)

Subject to necessary verification, if the vulnerability report complies with our Responsible Vulnerability Disclosure Policy, please indicate whether you would like to be acknowledged in UNICEF’s Information Security Hall of Fame. 

What to expect

  • Acknowledgment: Receipt of your report will be acknowledged within 3 business days.
  • Evaluation: The report will be assessed, and the team may request additional information.
  • Resolution: Verified vulnerabilities will be remediated, keeping you informed of our progress (typically within 90 days).
  • Recognition: The timing and details of public acknowledgement will be coordinated with security researchers.
Instructor Vivian Li  helps Nomfundo Madide of South Africa edit her one-minute video in a computer classroom

We deeply value the expertise and contributions of security researchers in identifying potential security issues

Contact

For questions regarding this policy, please contact us at [email protected].

Hall of fame

The following individuals and organizations have helped UNICEF in improving the security of the organization's systems, data, and digital resources by reporting security issues and vulnerabilities discovered.

Naveed Qadir
Information disclosure
20 Aug 2025

Shirsendu Mondal
Security misconfiguration
21 Aug 2025

Hari Priandana
Information disclosure
23 Aug 2025

Omar Salazar
Security misconfiguration
5 Sep 2025

Yanuar Yusuf
Cross-site scripting
7 Sep 2025

Yanuar Yusuf
Information disclosure
7 Sep 2025

Mandy m
Security misconfiguration
13 Sep 2025

Abdullah Al Jahin
Information disclosure
16 Sep 2025

Ali Raza
Security misconfiguration
17 Sep 2025

Zidhan Hadi Irawan
Security misconfiguration
26 Sep 2025

Zidhan Hadi Irawan
Security misconfiguration
26 Sep 2025

Alvin Anugerah Pratama
Security misconfiguration
28 Oct 2025

Aaron Amran Bin Amiruddin
Security misconfiguration
28 Oct 2025

Sonia Rosenberger
Broken access control
3 Nov 2025

Alex Roger
Information disclosure
3 Nov 2025

Taofik Hidayat
Information disclosure
8 Nov 2025

Rohan S
Information disclosure
17 Nov 2025

Dava Armanda Putra
Security misconfiguration
18 Nov 2025

Mallampati Surendra Reddy
Information disclosure
23 Nov 2025

Chandra Tritaqwa R.
Security misconfiguration
1 Dec 2025

Thierry Ferdinanda
Information disclosure
3 Dec 2025

Marcin 'maskopatol' Nowak
Cross-site scripting
12 Dec 2025

Prejan Bantawa Rai
Security misconfiguration
20 Dec 2025

Fernandi Valbuena
Cross-site scripting
22 Dec 2025

Mahbub Rahman Sharaf
Information disclosure
2 Aug 2024

Jahidul Hasan Munna
Broken access control
19 Apr 2025

Jahidul Hasan Munna
Identification and authentication failures
19 Apr 2025

Ali Raza
Security misconfiguration
13 Jun 2025

Sukhwinder Singh & Damanpreet Singh
Security misconfiguration
13 Jun 2025

Ubaidah Ibnu Mubarok
Cross-site scripting
16 Jun 2025

Ubaidah Ibnu Mubarok
Information disclosure
16 Jun 2025

Vamshi Krishna Upadrasta
Identification and authentication failures
18 Jun 2025

Ali Raza
Security misconfiguration
23 Jun 2025

Sogai Mohamed Amine
Injection
10 Jul 2025

Viraj Mathpati
Security misconfiguration
23 Jul 2025

Aditya Mukati
Multiple security misconfigurations
26 Jul 2025

Aditya Mukati
Vulnerable components
26 Jul 2025

Asad Ullah Evan
Security misconfiguration
29 Jul 2025

Asad Ullah Evan
Broken access control
30 Jul 2025

Asad Ullah Evan
Security misconfiguration
30 Jul 2025

Fatematuz Zohora
Information disclosure
31 Jul 2025

Saiful Alam Shihab
Information disclosure
31 Jul 2025

Saiful Alam Shihab
Information disclosure
6 Aug 2025

Saiful Alam Shihab
Security misconfiguration
6 Aug 2025

Elena González (crodnu)
Cross-site scripting
10 Aug 2025

RDX BOYZ 07
Security misconfiguration
18 Aug 2025

Jiehao Zhang(张杰豪)
Information disclosure
19 Aug 2025