Vulnerability Hall of Fame
To continuously improve the protection of information technology and digital assets, WHO encourages the public to assist our efforts by disclosing cybersecurity vulnerabilities in WHO publicly accessible information systems. Once the vulnerability has been remediated, the reporter is acknowledged and listed in our ethical hacker list, on this page, with a brief description of the vulnerability reported and a link to either their LinkedIn or Twitter profile.
By reporting vulnerability findings to WHO, the reporter acknowledges that such reporting is provided pro bono without expectation of financial or other compensation. The reporter also affirms that neither they nor any entity that they represent is complicit in human rights abuses, tolerates forced or compulsory labour or use of child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not meet the purposes and principles of the United Nations and WHO.
List of ethical hackers and vulnerability researchers
2025
Name: Prathik Murugan
Reported Subdomain Takeover on photos.euro.who.int
6 August 2025
Name: Akash Hinge
Reported Information Disclosure on cci4eu-staging.aws-lcb.iarc.who.int
4 August 2025
Name: Asad Ullah Evan
Reported Information disclosure on circ60.iarc.who.in
3 August 2025
Name: Asad Ullah Evan
Reported Information disclosure on snp.who.int
3 August 2025
Name: Asad Ullah Evan
Reported Information disclosure on data.wpro.who.int
3 August 2025
Name: 姜学连
Reported XSS on trialsearch.who.int
17 July 2025
Name: Devadath A
Reported Information Disclosure webapi.iarc.who.int
9 July 2025
Name: Azza Tegar Naufal Ataullah
Reported Information disclosure on analytics.afro.who.int
15 June 2025
Name: Ashik Mohamed (ashikmd7)
Reported Broken Link Hijacking on pmnch.who.int
9 June 2025
Name: Anij Gurung
Reported IDOR on *.emro.who.int
7 June 2025
Name: Muhammad Fikri Adhirajasa
Reported Broken Link Hijack on www.who.int
1 June 2025
Name: Mikel Hernandez Alonso
Reported: Prototype Pollution on *.who.int
28 April 2025
Name: Umanhonlen Gabriel
Reported Broken Access Control on *.afro.who.int
21 April 2025
Name: Anij Gurung
Reported Stored HTML injection on *.who.int
31 May 2025
Name: Alexsandro Alvino
Reported Broken Link Hijacking on *.who.int
22 May 2025
Name: Manideep Balugu
Reported Hyperlink Injection on *.who.int
8 May 2024
Name: Nathan Accacio
Reported Unauthorized access to a Google Folder
25 March 2025
Name: Jonathon Sweeney
Reported Subdomain takeover on *.who.int
23 March 2025
Name: Zahir Uddin Ahmad
Reported Broken Access Control *.who.int
22 March 2025
Name: Gonzalo Aguilar
Reported XSS on apps.who.int
14 March 2025
Name: Madhav Shah
Reported Information Disclosure on cdn.who.int
13 March 2025
Name: Dhaval Chauhan
Reported Broken Access Control applications.emro.who.int
11 March 2025
Name: Abdelrahman Attia
Reported Information Disclosure (Severe Risk)
8 March 2025.
Name: Abror Pratama Harahap
Reported Information Disclosure on afro.who.int
21 February 2025
Name: Maroine Youcefi
Reported SQL Injection on *.wpro.who.int
20 February 2025
Name: Reju Kole
Reported Information Disclosure on iris.who.int
19 February 2025
Name: Bhavan Rbn
Reported XSS on *.afro.who.int
17 February 2025
Name: Dinar Guluzada
Reported XSS on *.wpro.who.int
9 February 2025
Name: Steven Floresca
Reported SQL Injection on *.wpro.who.int
5 February 2025
Name: Gamiel Manbiotan
Reported Information disclosure on gifna-test.who.int
5 February 2025
Name: Arit Dutta
Reported XSS on smart.who.int
31 January 2025
Name: Behnam Abbasi Vanda
Reported Information disclosure on api-ncds.who.int
29 January 2025
Name: Team-DisclosureX Cybrgen
Reported Authentication Bypass via Outdated Software on *.who.int
21 January 2025
Name: Arit Dutta
Reported XSS on *.emro.who.int
16 January 2025
Name: Arit Dutta
Reported XSS on *.who.int
16 January 2025
Name: Çetin Binicif
Reported Time-Based SQL injection on tumourclassification.iarc.who.int
14 January 2025
Name: 胡浩川 (Adminhx)
Reported XSS on data.wpro.who.int
13 January 2025
Name: Waseem Laghari Cybersecurity Researcher
Reported Broken Access Control on *.who.int
12 January 2025
Name: Muhammad Abdur Raafay
Reported Information disclosure on *.searo.who.int
11 January 2025
Name: John Fiel Brosas
Reported Broken Access Authentication on esurv.afro.who.int
4 January 2025
2024
Ahmad Alassaf
Reported Information disclosure on extranet.who.int
24 December 2024
Vaibhav Jain
Reported Information disclosure on multimedia.wpro.who.int
24 December 2024
Jayson T Palma
Reported Information disclosure on innov.afro.who.int
18 December 2024
Ubaidah Ibnu Mubarok
Reported SQL injection on espen.afro.who.int
18 December 2024
Dhruv Mankad
Reported XSS on apps.who.int
14 December 2024
Michal Biesiada
Reported Outdated vulnerable software on photos.hq.who.int
13 December 2024
Rajesh Bhandekar
Reported Upload misconfiguration on ojs.wpro.who.int
12 December 2024
Rivek Raj Tamang
Reported Unauthorized Access to Google sheet
26 November 2024
Rajdip Chavan
Reported XST on *.searo.who.int
26 November 2024
Rajdip Chavan
Reported XST on *.wpro.who.int
26 November 2024
Abhishek Singh
Reported Host header injection on *.lxp.academy.who.int
21 November 2024
Shoaib Tahir
Reported Information Disclosure on lxp.academy.who.int
19 November 2024
Gison
Reported Information disclosure on saver.searo.who.int
12 November 2024
Rahma Syndu Grananta
Reported XSS on photos.euro.who.int
5 November 2024
Rahma Syndu Grananta
Reported Information disclosure on photos.euro.who.int
5 November 2024
Rahma Syndu Grananta
Reported Amazon S3 Misconfiguration
5 November 2024
Vedant Pillai
Reported Information disclosure on WHO’s Github
29 October 2024
Rodrigo Costa de Souza
Reported Information disclosure on virtuallibrary.euro.who.int
26 October 2024
Dishant Modi
Reported HTML Injection on covid.emro.who.int
18 October 2024
Atul Nagaraj Nambiar
Reported Information disclosure on extranet.who.int
12 October 2024
Atul Nagaraj Nambiar
Reported Information disclosure on cdn.who.int
12 October 2024
Pruthu Raut
Reported Hyperlink injection on publications.iarc.who.int
2 October 2024
Dinesh Narasimman
Reported HTML Injection on apps.who.int
28 September 2024
Moniganti Nithin
Reported CSRF on *.who.int
24 September 2024
Althaf Ashraf
Reported Information disclosure on *.who.int
24 September 2024
Fredrik John Sanger
Reported a broken access control on *.who.int
21 September 2024
Vallerio Alvaren
Reported XSS on *.afro.who.int
20 September 2024
David Jesus
Reported a directory listing on extranet-dev.wpro.who.int
20 September 2024
Ritik Raj
Reported XSS on *.emro.who.int
18 September 2024
Nitin Yadav
Reported Prototype Pollution on *.who.int
14 September 2024
Aakash Dubey
Reported RCE on whotest.who.int
10 September 2024
Shehzad Ahmad
Reported Sensitive Data Exposure on who.int
10 September 2024
Shivam Dhingra
Reported an information disclosure on researchportal.searo.who.int
7 September 2024
Sakthivel Murugan
Reported an Information Disclosure on uhcc.who.int
6 September 2024
Yogeswaran M
Reported Cross-Site Tracing on indexmedicus.afro.who.int
6 September 2024
Robi Mohamad Subagja
Reported an information disclosure on cdn.who.int
5 September 2024
Akash Motkar
Reported an information disclosure on data-uat.wpro.who.int
3 September 2024
Nilesh Agrawal Koyo
Reported Prototype pollution on *.who.int
2 September 2024
Miguel Arrabal Castro
Reported an unauthorized access to Google Drive pmnch.who.int
31 August 2024
Raghav Arora
Reported an information disclosure on extranet.who.int
29 August 2024
Divya Chaudhari
Reported an unauthorized access on data.lms-uat.lxp.academy.who.int
28 August 2024
Antonio Fernandes
Reported subdomain takeover on ctdip.who.int
25 August 2024
Abhirup Konwar
Reported an unauthorized access to Google Drive folder cdn.who.int
22 August 2024
Muhammad Nur
Reported an information disclosure on www.emro.who.int
21 August 2024
Ashutosh Barot
Reported an information disclosure on applications-mobile.who.int
17 August 2024
Qadhafy Muhammad Tera
Reported an information disclosure on *.who.int
16 August 2024
AKHIL C.D.
Reported XST on *. searo.who.int
11 August 2024
CHANDRU R
Reported Unauthorized Access to Admin Panel on admin.espen.afro.who.int
11 August 2024
Nazmul Haque Jowel
Reported an information disclosure on joomla.emro.who.int
11 August 2024
Jay Parmar
Reported an unauthorized access to Google Drive folder extranet.who.int
10 August 2024
Prathamesh Satyan Chaudhari
Reported information disclosure on malsurtoolkit.who.int
09 August 2024
Dikshant Singh
Reported an information disclosure on transmettre-circ.iarc.who.int
9 August 2024
Jignesh Vaniya
Reported an unauthorized admin access on saver.searo.who.int
9 August 2024
Ariyamba Chippy Thamburatty K K
Reported XSS on *.emro.who.int
8 August 2024
Everton Silva
Reported an information disclosure in *.bvsalud.org (not in scope anymore)
8 August 2024
Everton Silva
Reported an information disclosure in *.teste.bvsalud.org (not in scope anymore)
8 August 2024
Usama Zahoor
Reported Information disclosure on *.who.int
7 August 2024
Sakil Hasan Saikat
Reported an unauthorized access to a Google Drive Folder related to hlh.who.int
7 August 2024
Zeynalxan Quliyev
Reported Information disclosure on iris.who.int
6 August 2024
Miguel Segovia Gil
Reported Directory Listing on indexmedicus.afro.who.int
5 August 2024
Umar Mushtaq
Reported a PHP information disclosure on saver.searo.who.int
5 August 2024
Everton Silva
Reported an Cross-Site Scripting (XSS) in *.bvsalud.org (not in scope anymore)
4 August 2024
Everton Silva
Reported an Cross-Site Scripting (XSS) in *.h1n1.bvsalud.org (not in scope anymore)
4 August 2024
Everton Silva
Reported an information disclosure in *.bireme.org (not in scope anymore)
4 August 2024
Everton Silva
Reported a Cross-Site Scripting (XSS) in *.bireme.org (not in scope anymore)
4 August 2024
Everton Silva
Reported a Cross-Site Scripting (XSS) in *.bvsalud.org (not in scope anymore)
4 August 2024
Everton Silva
Reported an information disclosure in *.bvsalud.org (not in scope anymore)
4 August 2024
Everton Silva
Reported an HTML Injection in *.bvsalud.org (not in scope anymore)
4 August 2024
Miguel Segovia Gil
Reported a reflected XSS on photos.euro.who.int
3 August 2024
Aditya Patel
Reported Directory Listing on indexmedicus.afro.who.int
3 August 2024
Everton Silva
Reported an information disclosure in *.bireme.org (not in scope anymore)
2 August 2024
Everton Silva
Reported an information disclosure in *.bvsalud.org (not in scope anymore)
2 August 2024
Everton Silva
Reported an information disclosure in *.teste.bvsalud.org (not in scope anymore)
2 August 2024
Hemand KM
Reported an unauthorized access to Google Drive pmnch.who.int
2 August 2024
Adhithya S D
Reported an unauthorized administrative access on wem-rho1.emro.who.int
2 August 2024
Magashwarahan A
Reported Path traversal on covid19app.who.int
1 August 2024
Syed Fawad Abbas
Reported Information disclosure on *.iarc.who.int
1 August 2024
Rajkumar Shanmugam
Reported an unauthorized access to a Google Drive folder
1 August 2024
Adarsh.S.Nair
Reported a potential IDOR through an outdated plugin on training.aws.iarc.who.int
1 August 2024
Everton Silva
Reported an information disclosure on www.globalindexmedicus.net
1 August 2024
Ariyamba Chippy Thamburatty K K
Reported Information disclosure on *.who.int
30 July 2024
Sri Shavin Kumar Chandra Mohan
Reported an unauthorized access to a Google Drive folder
30 July 2024
Mohammed Nafeed
Reported an unauthenticated access to www.uness.moodle.lxp.academy.who.int
29 July 2024
Mahbub Rahman Sharaf
Reported an information disclosure on multimedia.wpro.who.int
28 July 2024
Ariyamba Chippy Thamburatty K K
Reported XSS on www.iarc.who.int
26 July 2024
Ariyamba Chippy Thamburatty K K
Reported Directory Listing on indexmedicus.afro.who.int
26 July 2024
Francesco Jeremy Topol
Reported an information disclosure on extranet.who.int
24 July 2024
Vijay Sutar
Reported a directory listing issue on whophotosearch.who.int
22 July 2024
Asif Nawaz Minhas
Reported a potential subdomain takeover on tng-dev2.who.int
19 July 2024
Prince Kumar
Reported XSS on *.academy.who.int
16 July 2024
Mahbub Rahman Sharaf
Reported an information disclosure on *afro.who.int
18 July 2024
Miguel Santareno
Reported Reflected Cross-Site Scripting (XSS) on tumourclassification.iarc.who.int
16 July 2024
Aashutosh devkota
Reported host header injection on *.who.int
12 July 2024
Linate/宋秉霖
Reported an information disclosure on researchportal.searo.who.int
11 July 2024
Adarsh.S.Nair
Reported Information disclosure on *.academy.who.int
10 July 2024
Yiliyasi Aimaier (伊力亚斯·艾买尔)
Reported reflected XSS on *.emro.who.int
9 July 2024
Adarsh.S.Nair
Reported Information disclosure on photos.euro.who.int
9 July 2024
Shivam Dhingra
Reported information disclosure on vlibrary.emro.who.int
9 July 2024
Fawad Abbas
Reported information disclosure on rho.emro.who.int
8 July 2024
Josekutty Kunnelthazhe Binu
Reported information disclosure on applications.who.int
1 July 2024
Biswajeet Ray
Reported information disclosure on solutions.who.int
1 July 2024
Gurudatt Choudhary
Reported an information disclosure on dhistvd.afro.who.int
23 June 2024
Parth Narula
Reported XSS Vulnerability on data.wpro.who.int
10 June 2024
Sarvagn Pathak
Reported Sensitive Data Exposure on afro.who.int
8 June 2024
Parth Narula
Reported an information disclosure on researchportal.searo.who.int
7 June 2024
Miguel Llamazares
Reported Sensitive Data Exposure on digitalatlas.who.int
5 June 2024
Vignesh SB
Reported Sensitive Information Disclosure on esurv.afro.who.int
3 June 2024
Shri Harshan
Reported Sensitive Information Disclosure on esurv.afro.who.int
1 June 2024
Mohamed Djaber
Reported Cross-Site Scripting (XSS) on training.iarc.who.int
13 May 2024
Adrián Tirado García
Reported Sensitive Data Exposure on publicspace.who.int and seaextranet.searo.who.int
12 May 2024
Umair Farooqui
Reported Cross-Site Scripting (XSS) on countryportal-sandbox.who.int
6 May 2024
Lucas Solera
Reported Information Disclosure on ojs.wpro.who.int
29 April 2024
Ali Hassan Ghori (Apprise Cyber)
Reported XSS on iarc.who.int
25 April 2024
Ajit Bhatta
Reported Cross-Site Scripting (XSS) on iarc.who.int
7 April 2024
Dhivish Varshan
Reported Sensitive Information Disclosure on who.int
6 April 2024
Prial Islam
Reported Subdomain Takeover on healthbottest.who.int
26 February 2024
Vinayak Sakhare
Reported Sensitive Information Disclosure on jor-imap.emro.who.int
22 February 2024
Vincent Yiu
Reported Sensitive Information Disclosure on WHO GitHub
9 July 2020