How to submit your vulnerability and what to expect

There are two ways of submitting to the GSMA Coordinated Vulnerability Disclosure programme. You can download the submission form in Microsoft Word or Text version format and send it back to the GSMA, or you can fill the online form below. 

We request reporters of vulnerabilities to describe the vulnerability on the submission form, including:

• Identification of the vulnerable target(s)
• A description of the vulnerability
• Operations carried out to exploit the vulnerability

This is usually sufficient information to enable the GSMA to consider the vulnerability and will allow for verification and identification of possible remediations. A Proof-of-Concept (POC) or more detailed description may be requested in the case of complex vulnerabilities.

The GSMA may ask a Reporter for more information throughout the consideration process.

Researcher Testimonial: Find out what the importance is of submitting a vulnerability to the CVD programme, the experience of working with the GSMA and the additional benefits of engagement with the mobile industry.

Submission Forms

Submission Form – Word Version
Submission Form – Text Version

Once you have completed this template, you should submit it by email to the GSMA on [email protected].

The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.

Click here to view the CVD submission process.

Scope

Is the GSMA’s CVD programme the correct scheme to bring my research to?

The scope of the GSMA CVD Programme is security vulnerabilities that impact the mobile industry, primarily open standards based technologies.

The following items are out of scope for the CVD Programme.

• Research or information on a vulnerability which has previously been made public. Research or information on a vulnerability which is already in the public domain is out of scope for inclusion in the Acknowledgements page, but may be considered through the CVD Programme in order to develop remediations.
• Services or products provided by a single Manufacturer or Manufacturer group, these should be reported to the relevant Manufacturer.
• Services or products provided by a single company or group of companies. These should be reported to the relevant company.
• Submissions by GSMA Members, Associate Members and Rapporteurs where they are working on the topic as part of an Activity. These should be reported through the relevant Activity apart from in the case of exceptional circumstances.

For vulnerabilities affecting one manufacturer or network, please contact them directly – some vulnerability disclosure programmes from GSMA members can be found here.

For reporting vulnerabilities in GSMA websites or services please see here.

Research Expectations

The GSMA is grateful to Reporters who afford us the opportunity to consider their findings, liaise with the industry and define remediation and mitigation actions. However, participation in the CVD Programme requires that Reporters do not engage in activities that violate any local legislation or regulations and third party rights.

Reporters are asked to:

• Not abuse the reported vulnerability. For example, downloading more data than is necessary to demonstrate the vulnerability, or changing/deleting live systems, settings or data.
• Exercise caution and restraint with regard to personal data and not intentionally engaging in attacks against third parties, social engineering, denial-of-service attacks, spamming or otherwise causing a nuisance to other users.

If there is any doubt, please contact [email protected].

Submit your vulnerability