Process for Reporting Vulnerabilities Within ICANN Organization Online Services
Responsible Disclosure Guidelines
Responsible disclosure of a vulnerability consists of providing notification to ICANN in lieu of publicly releasing the details and providing a reasonable timeframe for ICANN to fix the issue. When a potential vulnerability is reported to ICANN through responsible means, ICANN will strive to confirm its existence in a timely manner, evaluate the risk to ICANN and the community and, if necessary, adopt the appropriate corrective timeline with actions to remediate. ICANN sincerely appreciates responsible disclosure of vulnerabilities from all parties and will make efforts to provide appropriate recognition of those individuals who follow ICANN's disclosure guidelines.
Public Vulnerability Disclosure Program
ICANN has partnered with HackerOne to provide a method to report vulnerabilities for our online services.
ICANN HackerOne portal is located here: https://hackerone.com/icann
The program is invitation only for current HackerOne members. However, you may submit a vulnerability by following the policy guidelines published on our HackerOne portal, or via sending it as an email to: vulnerability@icann.org
Reports may be submitted using this PGP public key.
For emailed vulnerability reports, please include:
- Full description of the vulnerability being reported including the exploitability and impact
- Document all steps required to reproduce the exploit of the vulnerability
-
Provide all:
- URL(s)/application(s) affected in the submission (even if a code snippet\video was also provided).
- IPs that were used while testing.
- The user account (if any) used for the Proof of Concept (PoC).
- Include all files that were attempted to upload.
- Provide the complete PoC with the submission (e.g., a Remote Code Execution that does not change files, upload only "hello world" test files, etc.)
- Save and attach all logs to the submission.
Responsible Disclosure Guidelines:
In researching vulnerabilities with ICANN org online services, you may not engage in testing that:
- results in a degradation of ICANN systems,
- results in you, or any third party, accessing, storing, sharing or destroying ICANN or customer data, or
- may impact the ICANN community, such as denial of service, social engineering or spam.
Responsible disclosure of a vulnerability consists of providing notification to ICANN in lieu of publicly releasing the details and providing a reasonable timeframe for ICANN to fix the issue. When a potential vulnerability is reported to ICANN through responsible means, ICANN will strive to confirm its existence in a timely manner, evaluate the risk to ICANN and the community and, if necessary, adopt the appropriate corrective timeline with actions to remediate. ICANN sincerely appreciates responsible disclosure of vulnerabilities from all parties, and will make efforts to provide appropriate recognition of those individuals who follow ICANN's disclosure guidelines.
Prohibited Actions:
- Uploading files that allow arbitrary commands ( e.g., a webshell).
- Modifying any files or data, including permissions.
- Deleting any files or data.
- Interrupting normal operations (e.g., triggering a reboot).
- Creating and maintaining a persistent connection to the server.
- Intentionally viewing any files or data beyond what is needed to prove the vulnerability.
- Failing to disclose any actions taken or applicable required information.
Failure to meet the above conditions and requirements may be considered a breach of responsible disclosure guidelines and eliminate any potential recognition of the submitted research contribution.