How to submit your vulnerability and what to expect

There are two ways of submitting to the GSMA Coordinated Vulnerability Disclosure programme. You can download the submission form in Microsoft Word or Text version format and send it back to the GSMA, or you can fill the online form below

We request reporters of vulnerabilities to describe the vulnerability on the submission form, including:

  • Identification of the vulnerable target(s)
  • A description of the vulnerability
  • Operations carried out to exploit the vulnerability

This is usually sufficient information to enable the GSMA to consider the vulnerability and will allow for verification and identification of possible remediations. A Proof-of-Concept (POC) or more detailed description may be requested in the case of complex vulnerabilities.

The GSMA may ask a Reporter for more information throughout the consideration process.

Researcher Testimonial: Find out what the importance is of submitting a vulnerability to the CVD programme, the experience of working with the GSMA and the additional benefits of engagement with the mobile industry.

Submission Forms

Submission Form – Word Version
Submission Form – Text Version

Once you have completed this template, you should submit it by email to the GSMA on security@gsma.com.

The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.

Click here to view the CVD submission process.

Scope

The scope of the GSMA CVD Programme is security vulnerabilities that impact the mobile industry, primarily open standards based technologies.

The following items are out of scope for the CVD Programme.

  • Research or information on a vulnerability which has previously been made public. Research or information on a vulnerability which is already in the public domain is out of scope for inclusion in the Acknowledgements page, but may be considered through the CVD Programme in order to develop remediations.
  • Services or products provided by a single Manufacturer or Manufacturer group, these should be reported to the relevant Manufacturer.
  • Services or products provided by a single company or group of companies. These should be reported to the relevant company.
  • Submissions by GSMA Members, Associate Members and Rapporteurs where they are working on the topic as part of an Activity. These should be reported through the relevant Activity.

For vulnerabilities affecting one manufacturer or network, please contact them directly – some vulnerability disclosure programmes from GSMA members can be found here.

For reporting vulnerabilities in GSMA websites or services please see here.

Research Expectations

The GSMA is grateful to Reporters who afford us the opportunity to consider their findings, liaise with the industry and define remediation and mitigation actions. However, participation in the CVD Programme requires that Reporters do not engage in activities that violate any local legislation or regulations and third party rights.

Reporters are asked to:

  • Not abuse the reported vulnerability. For example, downloading more data than is necessary to demonstrate the vulnerability, or changing/deleting live systems, settings or data.
  • Exercise caution and restraint with regard to personal data and not intentionally engaging in attacks against third parties, social engineering, denial-of-service attacks, spamming or otherwise causing a nuisance to other users.

If there is any doubt, please contact security@gsma.com.

PGP details

PGP Details:

—–BEGIN PGP PUBLIC KEY BLOCK—–
Comment: User-ID: Roger Brown21
Comment: Created: 25/05/2021 15:12
Comment: Expires: 25/05/2023 12:00
Comment: Type: 2048-bit RSA (secret key available)
Comment: Usage: Signing, Encryption, Certifying User-IDs
Comment: Fingerprint: 08CFC2C637342DA983D72AEF216A07DC142B9053

mQENBGCtBdYBCADAS1S6ozvsvMZHbDladc91If5ehqN4LkAEyPW+DLnTDZHZGj6i
7KCmFnz57vbgcVSPcfPdQJSRAe+3x5h1EUDTzJQ1Zy2WCmxnF0dfQD8RQK1mE0jz
X2y33EfaT1vPsE8b+xQiQCmc52rxnN8ZvgBrNFt5eRAkAJvSZuwdwV28Fbzmm49m
fkLUZi7WkdnCyCa+0bOe3aoT6NLjy0zEFjlTgtyXWzpkx373yH3LO/NTP7hQT8Pw
YfOcBdAjHqMsO7aBVx2JTV1N/M2hMuFmK2aA3Smpi5q/y/qfW0H/8XgGO8MLVLz/
E/0RGf+kxzpOjPvpF99oMcXnFDK/ogfsXFtlABEBAAG0H1JvZ2VyIEJyb3duMjEg
PHJicm93bkBnc21hLmNvbT6JAVQEEwEIAD4WIQQIz8LGNzQtqYPXKu8hagfcFCuQ
UwUCYK0F1gIbAwUJA8I52gULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAhagfc
FCuQU02LCACEWjCqaFxwjtrtn9ypQeMo1YN5cgV9MtG7FscIhLyLg7I8IIljPGNz
uBRmjIN9jjgQQ4B9c9gD6CtB4oCY1zJppDOffabh7o08DKqUmGrL9y9ZOlzxakj1
QojQzL5i4v38WsIC3a1/WUBdobhtKF8Q7xYe/PnRJQpwITYGaB4vS2icTgUU+bgL
xr0rA1BvvQI788cI/BxwAI6PkIykqvgamz3CMMDbVRlV/zHIvw0Md1lofWlW3ay7
P0g7QUB//VTsbJ+ut04Off+Y0FnsNmYu7LDkUlINT50bC+OVydnJ23JkVjhRebZw
lHQ7i3e0BrMonePcdguEsCS9bcuoupPSuQENBGCtBdYBCADDEX/XpQ3asGFGgbNp
/wXvns21+tC7smVNH7SZl0r4z6RLczQmgCdG1XqxgeaUnUmjYiON/zqXAJr8kS0B
r6HHbWUsUbSxfagGmZMLAchBvAUOsoHEod22Suc38l7QmZNPWjNq17P29Y2d2IDU
76tyaJgYgHWgCGyi3pTrWynsYOEAB7C42UHgJPSuXdZ4LkxlgD6StMuvHD/VzpiG
jCRRb0gNyzhGuk5uNVjQY5dHgV21p6RgL4m3a+wzAufAISuZghOPi/ebaP3+HQDp
eKW6lX6ZblMblfxJI74+SvR27GvLWGKj88S3bHIOv/Ab+nu551NuyLdKuVZCFnXw
eoYzABEBAAGJATwEGAEIACYWIQQIz8LGNzQtqYPXKu8hagfcFCuQUwUCYK0F1gIb
DAUJA8I52gAKCRAhagfcFCuQU4/NCAC6z0H0/KMKzWxiCs6sMBeaWmlQrsTdbbdm
Ie73eNC7JmfwN75Wd9FlV0e31xzYoCCXSZAPYCQvfEeLjMEYy8YGAJdk789jzFW5
QNKPW3Dzh2seOQT6r3M8jxSIyJmPUL+RoPMlTeNj6UhxUbUfHNVVZSSs5QSKqREB
2iItlbGfIAM/iaP6xSAYD22c1yi+S3VhmwB+OkvVuUtmQ8fjoXFc/pnvLAj+yvH8
SjUUvchGhHlaoe4aBJXPPx1LIB3s8nZnzq3AuTnKYhkL8sZBiPs5/9Vk+PmFLsvn
QbxnNoE1/JpXBHC1KdqVDtUADUAjbW+y0cOFvvnnrmhb9e7Hqx2u
=xGRD
—–END PGP PUBLIC KEY BLOCK—–

Submit your vulnerability

Online form

To submit documents or other attachments in addition to the information in this form, please email these to security@gsma.com.