Another Healthy Year for the GSMA CVD Programme

The GSMA Coordinated Vulnerability Disclosure Programme was founded in 2017 to help security researchers report security vulnerabilities and to enable the mobile telecommunication ecosystem to respond to and resolve reported vulnerabilities. Since its introduction, the programme has considered over 50 vulnerability disclosures with 27 reports being formally acknowledged as increasing the security posture of the mobile industry.

Every year since the programme was started the GSMA has hosted an annual review of the scheme.  The review is undertaken by the programme’s Panel of Experts and provides an opportunity to review the programme’s performance and impact over the past 12 months, as well as an opportunity to look ahead at how the programme should evolve to fulfil future industry needs. This year’s review was completed on the 24th May 2022.

Overview of GSMA CVD Programme

The GSMA CVD programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem allowing the impact to be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.

The GSMA encourages disclosure of security research which enhances security levels and better protects assets and customers, and our Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at an industry level.

GSMA CVD Programme Panel of Experts

The Panel of Experts (PoE) is the group of subject matter experts from GSMA member organisations who assess the risks posed by reported vulnerabilities and consider options for remediation of the vulnerabilities submitted to GSMA via the CVD programme. The PoE comprises members from a broad cross-section of the mobile industry and they sit on the panel in their personal capacity as subject matter experts, as opposed to representing their employers. PoE activities include technical analysis of vulnerabilities, assessing the impact of submissions, suggesting remediation options and contributing to advisories relating to the vulnerabilities.

The PoE also review the performance and impact of the programme and the highlights noted during this year’s annual review were:

  • Successful Year for the Programme – The panel reviewed the programme’s performance over the past 12 months. In that period the scheme added 3 new acknowledgements to the GSMA website.  The panel noted that the feedback received from security researchers over this period was very positive and the programmes KPI’s for responding to submissions had been met. The panel concluded that the programme was in good health and had provided significant value to the industry.
  • CVD Schemes Becoming Front and Centre of Future Security Regulation – The panel noted that CVD programmes are becoming ever more embedded into security regulations. For part of the review, the PoE was joined by Evangelos Kantas of ENISA who explained how ENISA was supporting the development of CVD programmes within Europe, how cooperation and information exchange is one of the main pillars of the nascent NIS2 directive and how CVD is likely to become an essential part of the directive.  
  • PoE Skill Sets Remain Balanced and Strong, but New PoE Members Need to be Recruited –The panel reviewed the overall skillset of the panel of experts noting that it is normal that the makeup of panel members changes over time and that this can impact the balance in the skillset of the group. The group concluded that the skillset of the panel remained strong and well balanced, covering all key aspects of mobile network technology and the panel identified the need to recruit new panel members towards the end of 2022, ensuring these new members are recruited from across the spectrum of GSMA members.

GSMA CVD Programme Call to Action

There are several ways to participate in the GSMA CVD Programme if you are a researcher who would like to submit a vulnerability into the programme or a GSMA member who would like to join the Panel of Experts.

If you are a security researcher, we welcome both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our programme scope. You can find out more about submitting a vulnerability to the programme here.

If you are a mobile telecommunications security expert with a GSMA member company you are welcome to apply to become a member of the CVD panel of experts.  Recruitment of new panel members will open in late 2022 and you can find out what skillsets and commitment are required to join the PoE here.

Please reach out to [email protected] if you have any questions regarding the scheme or would like to join the panel of experts.