Reporting Cybersecurity Issue: UNESCO��s Responsible Disclosure policy

UNESCO welcomes the public's help in enhancing the security of its Information Communications Technology resources, by informing UNESCO of any weaknesses in the information system and assets that UNESCO makes available to the public, as well as by sharing any cybersecurity issues.

Last update:7 January 2025

What to Report

Any digital security incidents or details of vulnerabilities associated with publicly accessible UNESCO information communications technology resources (ICT), including websites.

What not to report

Out of scope vulnerabilities include the following:

ICT sites/web applications not under UNESCO.ORG domain.
Any test not related to web sites or Web applications (no DNS or Email related configurations).
Cookie Not Marked as HttpOnly.
Cookie Not Marked as Secure.
Missing HTTP security headers.
HTTP Header Information Disclosure.
Missing HTTP Strict Transport Security Policy.
Software version disclosure/banner identification.
Missing best practices in SSL/TLS configuration.
xmlrpc.php with no admin page exposed to the Internet.
No automated fuzzing of forms or web scraping type of activities.
Any activity that could lead to the disruption of service (DoS).

However, if a critical issue is found concomitantly even if it is out of scope, please do report it.

Vulnerability Reporting Policy

UNESCO may accept disclosures of vulnerabilities under the following conditions:

The vulnerability is related to UNESCO��s ICT resources.
The vulnerability has not already been publicly disclosed.
The vulnerability is reported to UNESCO as soon as possible after its discovery.
The vulnerability findings must remain confidential for at least 90 days following the date the vulnerability was reported to the UNESCO or until public disclosure of the vulnerability has been made on this website.
The severity of a vulnerability finding is assessed by the UNESCO at its own discretion.
The name and contact information of the reporter may be disclosed to affected technology vendor(s), unless otherwise requested by the reporter.

UNESCO reserves the right to accept or reject any security vulnerability disclosure report at its discretion.

For reports concerning other UN resources and assets, please consult information on .

If more information is required regarding a reported vulnerability, the UNESCO Digital Security team may contact the reporter.

If UNESCO accepts the security vulnerability disclosure report, UNESCO will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability.

Once the vulnerability has been removed, the reporter will be acknowledged unless he/she wishes to remain anonymous, and listed on this page with a short description of the vulnerability reported.

By reporting vulnerability findings to UNESCO, the reporter acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation.

The reporter also affirms that neither he/she nor any entity that he/she represents is complicit in human rights abuses, tolerates forced or compulsory labour or use child labour, is involved in the sale or manufacture of anti-personnel mines or their components, or does not comply with the purposes and principles of UNESCO.

How to report?

Researchers can report vulnerabilities via a PGP encrypted email to cybersecurity@unesco.org with a clear documentation on how to reproduce this reported vulnerability.

91�鶹������Ʒ����