WHO COVID-19 Mobile App
External Program
Submit bugs directly to this organization
External Program
Submit bugs directly to this organization
This program is for the WHO COVID-19 Mobile App and not for any of WHO's other infrastructure. WHO is grateful to the security researchers that have volunteered their time to keep the app safe and secure for everyone. Please do not test against the production infrastructure but instead use the dedicated hacking server:
git clone https://github.com/WorldHealthOrganization/app
cd app/client
flutter run --flavor hack
# `--flavor hack` targets dedicated `hack.whocoronavirus.org` server
# Same command deploys on Android or iOS, simulator or device. iOS needs a few extra steps:
# https://github.com/WorldHealthOrganization/app/blob/master/client/README.md
This Vulnerability Disclosure Program (VDP) covers both the iOS and Android clients (Flutter / Dart) and the server (Google managed services: Firebase, Cloud Storage, Firestore and App Engine / Java).
We believe in transparency about our security, so any valid vulnerabilities discovered have a presumption of public disclosure once confirmed and resolved. At the same time, we’re limited by volunteer capacity, so please be understanding when working with us. As the app is open source on GitHub, we would particularly welcome reports that provide a patch for any fix.
hack.whocoronavirus.org - dedicated server for penetration testing. This domain is maintained by Covantas, LLC on non-WHO infrastructure. This is the preferred system for hacking and you are welcome to break it but please be thoughtful in doing so. Please keep the data in confidence but by design it should not contain any private data. Please no DDOS or other attacks that would run up significant server costs (this requires prior written approval). Low scale fuzzing acceptable. Please see the “Safe Harbor” section below.*.whocoronavirus.org - other subdomains include staging and QA for developer workflow. Please be more careful here so as not to disrupt ongoing development. All these domains are maintained by Covantas, LLC on non-WHO infrastructure.Breaking the hack server - hack.whocoronavirus.org - should not cause a serious problem but please be thoughtful in doing so to avoid disruption for other hackers. Please treat any server data as confidential but by design it shouldn't contain any private data. Please be more careful with the other *.whocoronavirus.org servers as they're used for active development.
Certain vulnerabilities with a working proof of concept on the Android version of the WHO COVID-19 Mobile App may qualify for a bounty through the Google Play Security Reward Program. To see which vulnerabilities may qualify for a bounty, please refer to the Google Play Security Reward Program’s Scope and Vulnerability Criteria. Please report and resolve the vulnerability first through HackerOne. Given the shared Flutter codebase, a vulnerability on iOS could exist on Android also.
For Google managed services, such as App Engine, Firebase, Google Cloud Platform and others. Please report them to https://g.co/vulnz, where you may be eligible for a reward. For Android vulnerabilities, see the Android Security Rewards Program.
For iOS vulnerabilities, see the Apple Bug Bounty program.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct. The World Health Organization and Covantas, LLC (owners of the *.whocoronavirus.org servers) will not initiate legal action against you under applicable computer use laws on the basis of such activities. Your safest activity is to test only the hack.whocoronavirus.org servers.
The covid19app.who.int production domain is out of scope. No safe harbor applies to this or any other WHO infrastructure including who.int and all other subdomains.
We cannot bind or authorize any activities taken in relation to networks, systems, information, applications, products, or services of any third parties. For the Google Cloud Platform, see their [Reward Program](https://www.google.com/about/appsecurity/reward-program/. Under that program, you should consider *.whocoronavirus.org as an authorized “Third-party websites” subject to the limitations described above.
If legal action is initiated by a third party against you in connection with activities conducted under this policy, the World Health Organization and Covantas, LLC will take steps to make it known that your actions were conducted in compliance with this policy.
We encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:
Follow the Guidelines. Please read and follow the HackerOne Vulnerability Disclosure Guidelines.
Respect user privacy. The WHO COVID-19 app handles important and sensitive information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users. If you encounter any user or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.
Bend, but not break. When testing, use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state than when you uncovered it. The hack.whocoronavirus.org server is the exception where breaking the server is acceptable but please do so in a thoughtful manner.