Coordinated vulnerability disclosure (CVD) programme

The GSMA CVD Programme addresses security vulnerabilities impacting the mobile industry, with a focus on open standards-based technologies. Vulnerabilities affecting the services or products of a specific manufacturer or company should be reported directly to that organisation.
Researchers looking to report a company-specific vulnerability can consult the list of company CVD programmes available here. If the company you wish to contact is not listed, please reach out to us at security@gsma.com, and we will try to assist you.

The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated vulnerability disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.

As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ‘validation of submissions’ and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

Owners or providers of an offering that has been identified by a finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated vulnerability disclosure process.

GSMA Operator, Associate and Rapporteur Members interested in applying to join the CVD panel of experts can find out more details here.

NOTE: Non-3GPP compliant implementations, open-source software implementations and/or deployments of mobile network elements could lead to incorrect findings. Extrapolating from such results to all existing implementations must be done with caution. While GSMA CVD does recognize the usefulness of such tooling for security research we would like to remind all researchers that implementation specific findings are most of the time not applicable for CVD submission and shall be reported to the manufacturer. Please always ensure the tooling used is configured correctly before conducting security research.