GSMA regards the security of mobile network infrastructure and customer apparatus, such as devices and smart cards, as essential to the provision of secure and trustworthy services by its members. The GSMA recognises the need for industry to have in place processes that are capable of dealing with and handling disclosures about potential security vulnerabilities that could impact the industry and its customers.
The GSMA welcomes security research designed to enhance security levels to better protect assets and customers and its Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.
Security researchers that discover vulnerabilities or weaknesses in mobile systems, that are not proprietary in nature, are welcome to contact the GSMA, which is pleased to receive such details so that the impact and mitigation options can be considered.
We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our CVD programme scope and objectives.
Recognising the value and potential for coordinated vulnerability disclosure to facilitate the reporting and remediation of security vulnerabilities, GSMA welcomes disclosures pertaining to its own product or service offerings and its technology assets, including the following
We invite private individuals and organisations to report vulnerabilities identified in GSMA assets in line with our CVD programme and we ask that finders provide information using the same process that is described for industry based vulnerabilities.
In order for a disclosure to be eligible for submission under GSMA’s Coordinated Vulnerability Disclosure programme the identified security vulnerability must not only apply to vendor specific technologies or services. Such issues should be reported to the vendors in question.
Disclosures to GSMA must focus on open standards based technologies which are not proprietary to a specific vendor but that are used across, or have significant impact on, the mobile industry (e.g. including but not limited to protocols specified by IETF, ITU, ISO, ETSI, 3GPP, GSMA etc.)
We request you to:
What we will do:
In order for the vulnerability to be accepted into the GSMA CVD programme, the vulnerability should be described in an email. Once the vulnerability is documented it should be sent by email to the GSMA. The GSMA recommends that all vulnerability disclosure submissions are encrypted but use of encryption is at the discretion of the finder.
Please use the following details when communicating with the GSMA
|GPG Details||GPG Key ID – E4BC3D34|
|GPG Fingerprint – DDCA 4F36 5843 E12E F8AE 2DE2 2A8A FFDA E4BC 3D34|
|CVD Submission||Submission Form – Word Based|
|Submission Form – Text Based|
The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.
As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.
Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.