FIND non-profit
Company Details
Linkedin ID:
findnonprofit
Website:
Employees number:
9
Number of followers:
598
NAICS:
5411
Industry Type:
Homepage:
find.ngo
IP Addresses:
0
Company ID:
FIN_2315635
Scan Status:
In-progress
FIND non-profit Company CyberSecurity Posture
find.ngo
FIND investigates the actors, technologies, and systems that enable and profit from human rights abuses, international crimes, and environmental harm. We build civil society capacity through meticulous financial investigations and training. We work hand-in-hand with community organisations, NGOs, journalists, public interest lawyers, and intergovernmental bodies to seek truth and justice for those affected. Our work feeds into legal proceedings, regulatory action, investigative reporting and advocacy campaigns. We strive for a world where rights are upheld, ecosystems are protected, and no one profits from the suffering of people or the planet. https://find.ngo/ https://bsky.app/profile/find.ngo
FIND non-profit A.I CyberSecurity Scoring
FIND non-profit Risk Score (AI oriented)Between 600 and 649
FIND non-profit
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
FIND non-profit Global Score (TPRM)XXXX
FIND non-profit
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
FIND non-profit Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
Geedge Networks
Breach
Rankiteo Explanation
Attack threatening the economy of geographical region
Description: A massive data breach at **Geedge Networks**, a company tied to China’s **Great Firewall**, exposed **over 500 GB of internal documents**, including **source code, work logs, and proprietary DPI (Deep Packet Inspection) technology blueprints**. The leak, originating on **September 11, 2025**, revealed that the company had been exporting its censorship infrastructure—dubbed a *‘Great Firewall in a box’*—to **four authoritarian regimes (Ethiopia, Myanmar, Kazakhstan, and Pakistan)**. The exposed data included **algorithms for blocking VPNs, surveillance mechanisms, and state-level censorship tools**, enabling foreign governments to **suppress dissent, enforce propaganda, and monitor citizens**.The breach not only **compromised China’s domestic censorship capabilities** but also **accelerated global internet restrictions**, empowering regimes to **deploy real-time traffic filtering, DNS tampering, and AI-driven VPN detection**. While the leak did not directly expose **personal or financial data**, its **strategic impact** lies in **eroding digital freedoms**, enabling **mass surveillance**, and **facilitating state-controlled information blackouts**. The incident underscores how **censorship technology**, once confined to China, is now being **commercialized as a tool for oppression worldwide**, with long-term geopolitical and humanitarian consequences.
FIND non-profit Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for FIND non-profit
Incidents vs Legal Services Industry Average (This Year)
FIND non-profit has 13.64% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
FIND non-profit has 56.25% more incidents than the average of all companies with at least one recorded incident.
Incident Types FIND non-profit vs Legal Services Industry Avg (This Year)
FIND non-profit reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
Incident History — FIND non-profit (X = Date, Y = Severity)
FIND non-profit cyber incidents detection timeline including parent company and subsidiaries
FIND non-profit Company Subsidiaries
FIND investigates the actors, technologies, and systems that enable and profit from human rights abuses, international crimes, and environmental harm. We build civil society capacity through meticulous financial investigations and training. We work hand-in-hand with community organisations, NGOs, journalists, public interest lawyers, and intergovernmental bodies to seek truth and justice for those affected. Our work feeds into legal proceedings, regulatory action, investigative reporting and advocacy campaigns. We strive for a world where rights are upheld, ecosystems are protected, and no one profits from the suffering of people or the planet. https://find.ngo/ https://bsky.app/profile/find.ngo
Loading...
FIND non-profit Similar Companies
Larson Skinner PLLC
Larson Skinner PLLC is a law firm based in Minneapolis that provides copyright, trademark, technology, and licensing counsel to individuals, trade organizations, standards settings bodies, and small, growing, and large companies. The firm focuses its practice on e-commerce, databases, web branding i
Rödl & Partner Lithuania
As attorneys, tax advisers, management and IT consultants and auditors, we are present with 116 own offices in 50 countries. Worldwide, our clients trust our 6,000 colleagues. Rödl & Partner is not a collection of accountants, auditors, attorneys, management and tax consultants working in parallel.
MDA Attorneys - Construction & Technology Law Specialists
Providing objective, innovative and practical solutions to contractual and commercial challenges, MDA Attorneys works closely alongside our clients to offer a full range of legal services for large-scale construction. mining and technology projects in Sub-Saharan Africa and worldwide. Our team of h
The Mitzel Group, LLP
We are a boutique San Francisco-based law firm offering an integrated approach for using the law as a critical business strategy. We help chart clients' paths through all phases of their business life cycles, from seed and start-up, through growth and maturity, to expansion and exit. Founded in 20
Paluch Law, P.C.
Paluch Law brings a unique combination of experience with a solid understanding of the challenges that clients in these heavily regulated industries face. Our counsel considers the government’s perspective and connects the dots to ensure your business is in compliance while also achieving your busin
Sceales Lawyers
Sceales Lawyers is a Perth-based law firm established in 1994 by Robert Sceales. We advise principally in relation to taxation, general commercial, trusts, wills and estate matters. Our clients include accountants, solicitors, large and small private and public companies, family businesses, charit
.png)
FIND non-profit CyberSecurity News
November 26, 2025 08:58 PM
When impact meets integrity: not-for-profits rethink data and AI
Walk into almost any Canadian charity today and you'll find a familiar scene: teams comparing spreadsheets, donor databases, and program...
November 18, 2025 08:00 AM
Best Online Bachelor’s Degrees In Cybersecurity Of 2025
Find the best U.S. schools with online cybersecurity bachelor's degrees, and learn how to succeed in an online cybersecurity bachelor's...
November 13, 2025 08:00 AM
Mission Under Digital Siege: Closing The Cybersecurity Gap
(image from pexels.com). By Brian Cute. You run programs, raise funds, and coordinate volunteers on systems that carry donor information,...
October 21, 2025 07:00 AM
What is a Cyber Security Job?
Also known as ethical hackers, these professionals are experts in looking for vulnerabilities in a system to gain access.
October 01, 2025 07:00 AM
Cybersecurity Awareness Month: Security starts with you
Get the Be Cybersmart Kit and explore some of Microsoft's resources for Cybersecurity Awareness Month to stay safe online.
September 30, 2025 07:00 AM
Cybersecurity Risks Facing Global Manufacturing
Manufacturing faces rising cyberattacks, supply chain risks, and ransomware losses. Learn why resilience is now a top executive priority.
September 30, 2025 03:07 AM
Teach Employees to Avoid Phishing
Phishing happens when attackers trick people, like small business owners or employees, into clicking harmful links, opening fake emails or downloading...
September 29, 2025 07:00 AM
Why burnout is a growing problem in cybersecurity
When Tony was signed off for burnout from his cyber-security awareness role at a major UK ecommerce company last year, it had been a long...
September 22, 2025 07:00 AM
43 Top Cybersecurity Companies to Know 2025
These top cybersecurity companies provide an array of solutions that meet the glut of digital data demands for the modern era.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
FIND non-profit CyberSecurity History Information
Official Website of FIND non-profit
The official website of FIND non-profit is https://find.ngo/.
FIND non-profit’s AI-Generated Cybersecurity Score
According to Rankiteo, FIND non-profit’s AI-generated cybersecurity score is 607, reflecting their Poor security posture.
How many security badges does FIND non-profit’ have ?
According to Rankiteo, FIND non-profit currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does FIND non-profit have SOC 2 Type 1 certification ?
According to Rankiteo, FIND non-profit is not certified under SOC 2 Type 1.
Does FIND non-profit have SOC 2 Type 2 certification ?
According to Rankiteo, FIND non-profit does not hold a SOC 2 Type 2 certification.
Does FIND non-profit comply with GDPR ?
According to Rankiteo, FIND non-profit is not listed as GDPR compliant.
Does FIND non-profit have PCI DSS certification ?
According to Rankiteo, FIND non-profit does not currently maintain PCI DSS compliance.
Does FIND non-profit comply with HIPAA ?
According to Rankiteo, FIND non-profit is not compliant with HIPAA regulations.
Does FIND non-profit have ISO 27001 certification ?
According to Rankiteo,FIND non-profit is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of FIND non-profit
FIND non-profit operates primarily in the Legal Services industry.
Number of Employees at FIND non-profit
FIND non-profit employs approximately 9 people worldwide.
Subsidiaries Owned by FIND non-profit
FIND non-profit presently has no subsidiaries across any sectors.
FIND non-profit’s LinkedIn Followers
FIND non-profit’s official LinkedIn profile has approximately 598 followers.
NAICS Classification of FIND non-profit
FIND non-profit is classified under the NAICS code 5411, which corresponds to Legal Services.
FIND non-profit’s Presence on Crunchbase
No, FIND non-profit does not have a profile on Crunchbase.
FIND non-profit’s Presence on LinkedIn
Yes, FIND non-profit maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/findnonprofit.
Cybersecurity Incidents Involving FIND non-profit
As of November 30, 2025, Rankiteo reports that FIND non-profit has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
FIND non-profit has an estimated 7,390 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at FIND non-profit ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does FIND non-profit detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an third party assistance with great firewall report researchers, third party assistance with mesa lab investigators, and communication strategy with public disclosure via great firewall report, communication strategy with media coverage highlighting censorship risks..
Incident Details
Can you provide details on each incident ?
Title: 500 GB Leak Exposes China’s 'Great Firewall in a Box' Sold to Four Authoritarian Regimes
Description: A massive data breach (500 GB) from Geedge Networks, a company linked to China’s Great Firewall, revealed detailed blueprints of deep packet inspection (DPI) and filtering technology sold to at least four countries: Ethiopia, Myanmar, Kazakhstan, and Pakistan. The leaked documents expose a turnkey censorship solution ('Great Firewall in a box') that enables authoritarian regimes to block VPNs, foreign media, and dissenting content while enforcing state surveillance. The breach highlights China’s strategic shift from domestic censorship to commercializing censorship technology globally, severely impacting digital freedoms and privacy for millions.
Date Detected: 2025-09-11
Date Publicly Disclosed: 2025-09-13
Type: Data Breach
Attack Vector: Unauthorized disclosure (leak) of internal documents and source code
Motivation: Commercialization of censorship technologyGeopolitical influenceState surveillance expansion
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach FIN1093010091725
Data Compromised: Source code, Work logs, Internal communications, Dpi blueprints, Secure gateway software, Censorship algorithms
Systems Affected: Geedge Networks' infrastructureGreat Firewall development systems
Operational Impact: Exposure of proprietary censorship technologyReputation damage to Geedge Networks and Chinese governmentAccelerated global adoption of turnkey censorship tools
Brand Reputation Impact: Severe damage to China’s global image on digital rightsCriticism from human rights organizationsBacklash from tech and privacy advocates
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Proprietary Source Code, Internal Documents, Dpi Algorithms, Secure Gateway Software, Censorship Tool Blueprints, Work Logs, Internal Communications and .
Which entities were affected by each incident ?
Incident : Data Breach FIN1093010091725
Entity Name: Geedge Networks
Entity Type: Technology Company
Industry: Cybersecurity/Censorship Technology
Location: China
Incident : Data Breach FIN1093010091725
Entity Name: Ethiopia (Government)
Entity Type: National Government
Industry: Public Sector
Location: Ethiopia
Customers Affected: Millions of citizens
Incident : Data Breach FIN1093010091725
Entity Name: Myanmar (Government)
Entity Type: National Government
Industry: Public Sector
Location: Myanmar
Customers Affected: Millions of citizens
Incident : Data Breach FIN1093010091725
Entity Name: Kazakhstan (Government)
Entity Type: National Government
Industry: Public Sector
Location: Kazakhstan
Customers Affected: Millions of citizens
Incident : Data Breach FIN1093010091725
Entity Name: Pakistan (Government)
Entity Type: National Government
Industry: Public Sector
Location: Pakistan
Customers Affected: Millions of citizens
Incident : Data Breach FIN1093010091725
Entity Name: Citizens of Affected Countries
Entity Type: General Public
Location: EthiopiaMyanmarKazakhstanPakistan
Customers Affected: Activists, journalists, whistle-blowers, and general internet users
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach FIN1093010091725
Third Party Assistance: Great Firewall Report Researchers, Mesa Lab Investigators.
Communication Strategy: Public disclosure via Great Firewall ReportMedia coverage highlighting censorship risks
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Great Firewall Report researchers, MESA Lab investigators, .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach FIN1093010091725
Type of Data Compromised: Proprietary source code, Internal documents, Dpi algorithms, Secure gateway software, Censorship tool blueprints, Work logs, Internal communications
Number of Records Exposed: 100,000+ documents (500 GB total)
Sensitivity of Data: High (state-level censorship technology, surveillance tools)
Data Exfiltration: Yes (leaked to researchers/public)
File Types Exposed: Source code filesPDFsInternal memosCargo manifestsData center logs
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach FIN1093010091725
Regulations Violated: Potential violations of international human rights laws (e.g., UN Declaration of Human Rights, Article 19), Export control regulations (if applicable),
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Data Breach FIN1093010091725
Lessons Learned: State-developed censorship tools can be commercialized and exported, amplifying global digital rights risks., Leaks of proprietary surveillance technology can expose authoritarian regimes' tactics and enable countermeasures., VPN providers must continuously innovate to bypass advanced DPI-based censorship., Cross-referencing cargo manifests, data center footprints, and code annotations can trace technology exports.
What recommendations were made to prevent future incidents ?
Incident : Data Breach FIN1093010091725
Recommendations: International bodies should investigate and sanction entities involved in exporting censorship technology., Tech companies should collaborate to develop open-source tools to counteract state-level DPI censorship., Governments and NGOs should fund research into circumvention tools for affected populations., Journalists and activists in authoritarian regimes should adopt advanced VPN obfuscation techniques (e.g., NordVPN’s stealth protocols)., Export controls should be strengthened to prevent the sale of surveillance technology to repressive regimes.International bodies should investigate and sanction entities involved in exporting censorship technology., Tech companies should collaborate to develop open-source tools to counteract state-level DPI censorship., Governments and NGOs should fund research into circumvention tools for affected populations., Journalists and activists in authoritarian regimes should adopt advanced VPN obfuscation techniques (e.g., NordVPN’s stealth protocols)., Export controls should be strengthened to prevent the sale of surveillance technology to repressive regimes.International bodies should investigate and sanction entities involved in exporting censorship technology., Tech companies should collaborate to develop open-source tools to counteract state-level DPI censorship., Governments and NGOs should fund research into circumvention tools for affected populations., Journalists and activists in authoritarian regimes should adopt advanced VPN obfuscation techniques (e.g., NordVPN’s stealth protocols)., Export controls should be strengthened to prevent the sale of surveillance technology to repressive regimes.International bodies should investigate and sanction entities involved in exporting censorship technology., Tech companies should collaborate to develop open-source tools to counteract state-level DPI censorship., Governments and NGOs should fund research into circumvention tools for affected populations., Journalists and activists in authoritarian regimes should adopt advanced VPN obfuscation techniques (e.g., NordVPN’s stealth protocols)., Export controls should be strengthened to prevent the sale of surveillance technology to repressive regimes.International bodies should investigate and sanction entities involved in exporting censorship technology., Tech companies should collaborate to develop open-source tools to counteract state-level DPI censorship., Governments and NGOs should fund research into circumvention tools for affected populations., Journalists and activists in authoritarian regimes should adopt advanced VPN obfuscation techniques (e.g., NordVPN’s stealth protocols)., Export controls should be strengthened to prevent the sale of surveillance technology to repressive regimes.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are State-developed censorship tools can be commercialized and exported, amplifying global digital rights risks.,Leaks of proprietary surveillance technology can expose authoritarian regimes' tactics and enable countermeasures.,VPN providers must continuously innovate to bypass advanced DPI-based censorship.,Cross-referencing cargo manifests, data center footprints, and code annotations can trace technology exports.
References
Where can I find more information about each incident ?
Incident : Data Breach FIN1093010091725
Source: Twitter (X) post with leak details
URL: https://twitter.com/.../status/DADdDtKZ7w
Date Accessed: 2025-09-13
Incident : Data Breach FIN1093010091725
Source: MESA Lab (Institute of Information Engineering)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Great Firewall ReportDate Accessed: 2025-09-13, and Source: Twitter (X) post with leak detailsUrl: https://twitter.com/.../status/DADdDtKZ7wDate Accessed: 2025-09-13, and Source: MESA Lab (Institute of Information Engineering).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach FIN1093010091725
Investigation Status: Ongoing (led by Great Firewall Report and independent researchers)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosure Via Great Firewall Report and Media Coverage Highlighting Censorship Risks.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach FIN1093010091725
Stakeholder Advisories: Human Rights Organizations Warned Of Escalating Digital Repression., Vpn Providers Advised Users In Affected Countries To Enable Obfuscation Features., Tech Policy Experts Called For Sanctions Against Geedge Networks And Associated Entities..
Customer Advisories: Citizens in Ethiopia, Myanmar, Kazakhstan, and Pakistan were advised to use obfuscated VPNs (e.g., NordVPN, Proton VPN).Activists and journalists were urged to adopt encrypted communication tools (e.g., Signal, Session).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Human Rights Organizations Warned Of Escalating Digital Repression., Vpn Providers Advised Users In Affected Countries To Enable Obfuscation Features., Tech Policy Experts Called For Sanctions Against Geedge Networks And Associated Entities., Citizens In Ethiopia, Myanmar, Kazakhstan, And Pakistan Were Advised To Use Obfuscated Vpns (E.G., Nordvpn, Proton Vpn)., Activists And Journalists Were Urged To Adopt Encrypted Communication Tools (E.G., Signal, Session). and .
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach FIN1093010091725
Root Causes: Inadequate Security Measures At Geedge Networks Leading To Data Leak., Commercialization Of State Surveillance Technology Without Ethical Safeguards., Lack Of International Oversight On Censorship Technology Exports.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Great Firewall Report Researchers, Mesa Lab Investigators, .
Additional Questions
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-09-11.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-09-13.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Source code, Work logs, Internal communications, DPI blueprints, Secure Gateway software, Censorship algorithms and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Geedge Networks' infrastructureGreat Firewall development systems.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was great firewall report researchers, mesa lab investigators, .
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Source code, Censorship algorithms, Secure Gateway software, DPI blueprints, Internal communications and Work logs.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 100.5K.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Cross-referencing cargo manifests, data center footprints, and code annotations can trace technology exports.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Tech companies should collaborate to develop open-source tools to counteract state-level DPI censorship., International bodies should investigate and sanction entities involved in exporting censorship technology., Journalists and activists in authoritarian regimes should adopt advanced VPN obfuscation techniques (e.g., NordVPN’s stealth protocols)., Export controls should be strengthened to prevent the sale of surveillance technology to repressive regimes. and Governments and NGOs should fund research into circumvention tools for affected populations..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are MESA Lab (Institute of Information Engineering), Twitter (X) post with leak details and Great Firewall Report.
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://twitter.com/.../status/DADdDtKZ7w .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (led by Great Firewall Report and independent researchers).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Human rights organizations warned of escalating digital repression., VPN providers advised users in affected countries to enable obfuscation features., Tech policy experts called for sanctions against Geedge Networks and associated entities., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Citizens in Ethiopia, Myanmar, Kazakhstan, and Pakistan were advised to use obfuscated VPNs (e.g., NordVPN, Proton VPN).Activists and journalists were urged to adopt encrypted communication tools (e.g., Signal and Session).
.png)
Latest Global CVEs (Not Company-Specific)
Description
A vulnerability was determined in motogadget mo.lock Ignition Lock up to 20251125. Affected by this vulnerability is an unknown functionality of the component NFC Handler. Executing manipulation can lead to use of hard-coded cryptographic key . The physical device can be targeted for the attack. A high complexity level is associated with this attack. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 1.2
Severity: HIGH
AV:L/AC:H/Au:N/C:P/I:N/A:N
cvss3
Base: 2.0
Severity: HIGH
CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss4
Base: 1.0
Severity: HIGH
CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has permission to access the associated interview record. Because the server does not perform any recruitment-level authorization checks, an ESS-level user with no access to recruitment workflows can directly request interview attachment URLs and receive the corresponding files. This exposes confidential interview documents—including candidate CVs, evaluations, and supporting files—to unauthorized users. The issue arises from relying on predictable object identifiers and session presence rather than validating the user’s association with the relevant recruitment process. This issue has been patched in version 5.8.
Risk Information
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no permission to view the Recruitment module, can directly access candidate attachment URLs. When an authenticated request is made to the attachment endpoint, the system validates the session but does not confirm that the requesting user has the necessary recruitment permissions. As a result, any authenticated user can download CVs and other uploaded documents for arbitrary candidates by issuing direct requests to the attachment endpoint, leading to unauthorized exposure of sensitive applicant data. This issue has been patched in version 5.8.
Risk Information
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or session-store cleanup during these critical state changes, disabling an account or updating credentials has no effect on already-established sessions. This makes administrative disable actions ineffective and allows unauthorized users to retain full access even after an account is closed or a password is reset, exposing the system to prolonged unauthorized use and significantly increasing the impact of account takeover scenarios. This issue has been patched in version 5.8.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset link for any account they can receive email for, an attacker can alter the username parameter in the final reset request to target a different user. Because the system accepts the supplied username without verification, the attacker can set a new password for any chosen account, including privileged accounts, resulting in full account takeover. This issue has been patched in version 5.8.
Risk Information
cvss4
Base: 8.7
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=findnonprofit' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
