There are two ways of submitting to the GSMA Coordinated Vulnerability Disclosure programme. You can download the submission form in Microsoft Word or Text version format and send it back to the GSMA, or you can fill the online form below.
We request reporters of vulnerabilities to describe the vulnerability on the submission form, including:
- Identification of the vulnerable target(s)
- A description of the vulnerability
- Operations carried out to exploit the vulnerability
This is usually sufficient information to enable the GSMA to consider the vulnerability and will allow for verification and identification of possible remediations. A Proof-of-Concept (POC) or more detailed description may be requested in the case of complex vulnerabilities.
The GSMA may ask a Reporter for more information throughout the consideration process.
Researcher Testimonial: Find out what the importance is of submitting a vulnerability to the CVD programme, the experience of working with the GSMA and the additional benefits of engagement with the mobile industry.
Submission Form – Word Version
Submission Form – Text Version
Once you have completed this template, you should submit it by email to the GSMA on firstname.lastname@example.org.
The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.
Click here to view the CVD submission process.
Is the GSMA’s CVD programme the correct scheme to bring my research to?
The scope of the GSMA CVD Programme is security vulnerabilities that impact the mobile industry, primarily open standards based technologies.
The following items are out of scope for the CVD Programme.
- Research or information on a vulnerability which has previously been made public. Research or information on a vulnerability which is already in the public domain is out of scope for inclusion in the Acknowledgements page, but may be considered through the CVD Programme in order to develop remediations.
- Services or products provided by a single Manufacturer or Manufacturer group, these should be reported to the relevant Manufacturer.
- Services or products provided by a single company or group of companies. These should be reported to the relevant company.
- Submissions by GSMA Members, Associate Members and Rapporteurs where they are working on the topic as part of an Activity. These should be reported through the relevant Activity.
For vulnerabilities affecting one manufacturer or network, please contact them directly – some vulnerability disclosure programmes from GSMA members can be found here.
For reporting vulnerabilities in GSMA websites or services please see here.
The GSMA is grateful to Reporters who afford us the opportunity to consider their findings, liaise with the industry and define remediation and mitigation actions. However, participation in the CVD Programme requires that Reporters do not engage in activities that violate any local legislation or regulations and third party rights.
Reporters are asked to:
- Not abuse the reported vulnerability. For example, downloading more data than is necessary to demonstrate the vulnerability, or changing/deleting live systems, settings or data.
- Exercise caution and restraint with regard to personal data and not intentionally engaging in attacks against third parties, social engineering, denial-of-service attacks, spamming or otherwise causing a nuisance to other users.
If there is any doubt, please contact email@example.com.
—–BEGIN PGP PUBLIC KEY BLOCK—–
Comment: User-ID: Roger Brown21
Comment: Created: 25/05/2021 15:12
Comment: Expires: 25/05/2023 12:00
Comment: Type: 2048-bit RSA (secret key available)
Comment: Usage: Signing, Encryption, Certifying User-IDs
Comment: Fingerprint: 08CFC2C637342DA983D72AEF216A07DC142B9053
—–END PGP PUBLIC KEY BLOCK—–
Submit your vulnerability
To submit documents or other attachments in addition to the information in this form, please email these to firstname.lastname@example.org.