GSMA Coordinated Vulnerability Disclosure Programme

Welcome to the GSMA Coordinated Vulnerability Disclosure Programme.

GSMA regards the security of mobile network infrastructure and customer apparatus, such as devices and smart cards, as essential to the provision of secure and trustworthy services by its members. The GSMA recognises the need for industry to have in place processes that are capable of dealing with and handling disclosures about potential security vulnerabilities that could impact the industry and its customers.

The GSMA welcomes security research designed to enhance security levels to better protect assets and customers and its Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.

Security researchers that discover vulnerabilities or weaknesses in mobile systems, that are not proprietary in nature, are welcome to contact the GSMA, which is pleased to receive such details so that the impact and mitigation options can be considered.

We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our CVD programme scope and objectives.

Coordinated Vulnerability Disclosure Programme – GSMA Assets

Recognising the value and potential for coordinated vulnerability disclosure to facilitate the reporting and remediation of security vulnerabilities, GSMA welcomes disclosures pertaining to its own product or service offerings and its technology assets, including the following

  • GSMA Websites
  • InfoCentre
  • Device Database
  • Device Check
  • Device Map
  • Pathfinder
  • Event Systems and Services
  • RAex
  • Pegged Exchange

We invite private individuals and organisations to report vulnerabilities identified in GSMA assets in line with our CVD programme and we ask that finders provide information using the same process that is described for industry based vulnerabilities.

Coordinated Vulnerability Disclosure Programme – Eligibility

In order for a disclosure to be eligible for submission under GSMA’s Coordinated Vulnerability Disclosure programme the identified security vulnerability must not only apply to vendor specific technologies or services. Such issues should be reported to the vendors in question.

Disclosures to GSMA must focus on open standards based technologies which are not proprietary to a specific vendor but that are used across, or have significant impact on, the mobile industry (e.g. including but not limited to protocols specified by IETF, ITU, ISO, ETSI, 3GPP, GSMA etc.)

Coordinated Vulnerability Disclosure Programme – Finder Responsibilities

We request you to:

  • E-mail your findings using the GSMA CVD report format below, If desired, submissions can be encrypted using GSMA’s GPG Key.
  • Do not abuse the vulnerability by, for example, downloading more data than is necessary to demonstrate the leak, or by changing or deleting data.
  • Exercise caution and restraint with regard to personal data and not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks or spamming or otherwise causing nuisance to other users.
  • Do not share information about the vulnerability with others until it has been resolved in accordance with the GSMA’s CVD policy timeframes.
  • Provide a Proof-of-Concept (POC) and / or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.

Coordinated Vulnerability Disclosure Programme – GSMA Responsibilities

What we will do:

  • Respond within 10 working days to all submitted reports with an acknowledgement and initial appraisal of the information provided by the finder. There may be times where remediation is not a possible option, for a variety of reasons. The GSMA will assess if remediation is possible, and by when. It will keep the finder informed of the progress of any remediation action.
  • Treat submitted reports confidentially and will not share the finder’s personal details with third parties without their authorisation, unless required to do so in order to comply with legal obligations.
  • Accept anonymous or pseudonymous reports but finders choosing to engage in this way should be aware that the GSMA cannot confidently contact them concerning, for example, the steps taken, progress in remediating the reported vulnerability and publication of the vulnerability.
  • If acceptable to the finder, the GSMA will credit those that submit reports of discovered vulnerabilities. The GSMA will, where appropriate, recognise disclosures by naming the finders on its Mobile Security Research Hall of Fame on GSMA’s website. Entry to the Mobile Security Research Hall of Fame will be determined by the GSMA on a case-by-case basis and eligibility will depend on factors such as the efficacy of the research, the accuracy of the vulnerability claims, the quality of the report submitted, the severity and global applicability of the vulnerability, etc.
  • Resolve all submitted reports as quickly as possible, to keep all involved parties informed and participate in the publication of details pertaining to remedied vulnerabilities.

Coordinated Vulnerability Disclosure Programme – Vulnerability Submissions

In order for the vulnerability to be accepted into the GSMA CVD programme, the vulnerability should be described in an email. Once the vulnerability is documented it should be sent by email to the GSMA. The GSMA recommends that all vulnerability disclosure submissions are encrypted but use of encryption is at the discretion of the finder.

Please use the following details when communicating with the GSMA

Email Address Security@gsma.com
GPG Details GPG Key ID – E4BC3D34
GPG Fingerprint – DDCA 4F36 5843 E12E F8AE 2DE2 2A8A FFDA E4BC 3D34
CVD Submission Submission Form – Word Based
Submission Form – Text Based

 

GSMA Coordinated Vulnerability Disclosure Programme – Disclaimer

The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.

As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.