GSMA Coordinated Vulnerability Disclosure (CVD) Programme

Welcome to the GSMA Coordinated Vulnerability Disclosure Programme

The GSMA Coordinated Vulnerability Disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.

Please find further information below, or GSMA members can search for ‘CVD’ on GSMA InfoCentre2.

Background to the GSMA CVD Programme

GSMA regards the security of mobile network infrastructure and customer apparatus, such as devices and smart cards, as essential to the provision of secure and trustworthy services by its members. The GSMA recognises the need for industry to have in place processes that are capable of dealing with and handling disclosures about potential security vulnerabilities that could impact the industry and its customers.

The GSMA welcomes security research designed to enhance security levels to better protect assets and customers and its Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.

Security researchers that discover vulnerabilities or weaknesses in mobile systems, that are not proprietary in nature, are welcome to contact the GSMA, which is pleased to receive such details so that the impact and mitigation options can be considered.

We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our CVD programme scope and objectives.


Eligibility

In order for a disclosure to be eligible for submission under GSMA’s Coordinated Vulnerability Disclosure programme the identified security vulnerability must not only apply to vendor specific technologies or services. Such issues should be reported to the vendors in question.

Disclosures to GSMA must focus on open standards based technologies which are not proprietary to a specific vendor but that are used across, or have significant impact on, the mobile industry (e.g. including but not limited to protocols specified by IETF, ITU, ISO, ETSI, 3GPP, GSMA etc.)

For disclosures regarding GSMA assets please click here.


Finder Responsibilities

We request you to:

  • Email your findings using the GSMA CVD report format below, If desired, submissions can be encrypted using GSMA’s GPG Key.
  • Do not abuse the vulnerability by, for example, downloading more data than is necessary to demonstrate the leak, or by changing or deleting data.
  • Exercise caution and restraint with regard to personal data and not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks or spamming or otherwise causing nuisance to other users.
  • Do not share information about the vulnerability with others until it has been resolved in accordance with the GSMA’s CVD policy timeframes.
  • Provide a Proof-of-Concept (POC) and / or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.


GSMA Responsibilities

What we will do:

  • Respond within 10 working days to all submitted reports with an acknowledgement and initial appraisal of the information provided by the finder. There may be times where remediation is not a possible option, for a variety of reasons. The GSMA will assess if remediation is possible, and by when. It will keep the finder informed of the progress of any remediation action.
  • Treat submitted reports confidentially and will not share the finder’s personal details with third parties without their authorisation, unless required to do so in order to comply with legal obligations.
  • Accept anonymous or pseudonymous reports but finders choosing to engage in this way should be aware that the GSMA cannot confidently contact them concerning, for example, the steps taken, progress in remediating the reported vulnerability and publication of the vulnerability.
  • If acceptable to the finder, the GSMA will credit those that submit reports of discovered vulnerabilities. The GSMA will, where appropriate, recognise disclosures by naming the finders on its Mobile Security Research Hall of Fame on GSMA’s website. Entry to the Mobile Security Research Hall of Fame will be determined by the GSMA on a case-by-case basis and eligibility will depend on factors such as the efficacy of the research, the accuracy of the vulnerability claims, the quality of the report submitted, the severity and global applicability of the vulnerability, etc.
  • Resolve all submitted reports as quickly as possible, to keep all involved parties informed and participate in the publication of details pertaining to remedied vulnerabilities.


How to Submit

In order submit to the GSMA CVD programme, the vulnerability should be described using one of the templates below:

Submission Form - Word Version
Submission Form - Text Version

Once you have completed the template you should submit it by email to the GSMA on
security@gsma.com
The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.

PGP Details:
—–BEGIN PGP PUBLIC KEY BLOCK—–
mQINBF0u+wEBEADnrRfptM/B7SRLGY/RXtKjWtNUblktEDOHd9j4z25pfe8rUsfw
bnAkAzia12pPCm7ggxmw2loqvUZGKm7azq5IacQ05719qDJAqb4jO00b1460+x28
LOtOuS9buzwd0TfzuVo/t8f9/MUW+Tb8S16DQsF8/dKGKpMk4+PdGtnUXmjscPzt
SKS75jGr9sdifBeDz98DALsfTXKrTesdyRdnDnyP+B77emzgHwqQ5yVxq/50ccLZ
QtEiUpNE4bJrmeYOUBd+ClpbyQJyCFR/wqSg15U3jqMxoqu+/S44JWxHQFjxBYx2
JBh4vHdyRTLSLbFJiCIonf3qU3AkeGRPMsE9W/rFfXC6XWKzV65GqQSUmbO+2V3M
ZqS5XB+chmSql6P9Sbfepibb+cq7fFViW57XBE37Pmkmj9JPZC6RALqLGrDcNl6y
wmRNy1uQBYxKQ2Vq8UMLobPN7g5P2Zq27dmGZM41ueh7H+lK+Lx3QRqT4FBUYSCs
VXMx3D9b/adT46D9cDHh4UU+dAQv98GXtKi6MfBSnwTGVFYuPl3lclGJSzS/Fby0
/0RLZUsCYvXuiLbyl8IWl2m26GcWhB7/SONnXHWcaJjf+vzZSceJcSCBnWaMMYbT
n2wcod3ed/mxjx/uvltVlHPZyXjD2xUQ9X+byC9ekIUTAQP8NM5ZCxCjqQARAQAB
tCZqc2t1c2UgKEphbWVzIFNrdXNlKSA8anNrdXNlQGdzbWEuY29tPokCTgQTAQgA
OBYhBDJkEMYTwVEXPIx9CA3yy9SHfhc6BQJdLvsBAhsDBQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJEA3yy9SHfhc6u4EP/3iIFbLuVRCVcT+G+bgQwH+C6ysMzRg3
JBWVWyVCU0mxFu5Tc9Q0ddr5e9YqZWymFqAIF11a3VuiEpMZ6POSDa2ca6DSAU1a
S3h7ywxmRl0jhcHckLHWzKcWDL9uS0g3DNaYI3eu0CHkukiBBm8bupIy6mwAeAFO
BXWioUbvJXrGyhBHTAwT1WpNcdIWwtLXhGLdfe5ndXp0514Le5fAVMDe26aKRLwz
SJ92d/qRY+l30doUCWADD6eone5tgCbudVuETXPsM0+JoBUQPHHq1pqVxJVFr1Pa
P/VAtsn73a9aQfApB95zn23Fwh2bokmiGSrXxCBbRdxysnNU2XxcoryANrcDbiXq
9VfZgkNz/aNYAsDS8aPdv0ip39EmZjbKkZHANzZi+bn4cEjK6iCNB80xCvAjcO4W
O+LH6J6WtlZDVZCoK36pbSoCCYK6zisCvRarQgcNxnrlj/njhLSETswGP545Dp6a
XFfVAzSdCkLDr+dF7m4cgyZP2Z9liolNlWuye//E5IMfJhXwo9FMd8jSFpT9TIdw
puQI3UI4fGUyszAQnupdUwP/ahpfqXP5aeCEgc5KGCw6n6RtV3B762Tgg8tV4IMG
AX69OE0bXaXyPDvkdyoxp1lnd1mKQ3UY/ueuErizFnUSgYN0eXs2F7lqcj62QprI
S0M5hAKNHroXuQINBF0u+wEBEADUmqzUKxLwQlSX2jBRATdKDBVL3FASk65q5jK/
Oo6LfQA2tAoXmK1lvTyTl/vNGUwylD+zhLQujf1vVPPXDuP1zWdZJ03eY8AxUNLZ
hv/aqAmmRg7xWh7ObuMNH83QxjQUxFiw5uEjJ1NXdMtiE2y71aYzJvbNDjtXfPGz
sDTZ2PFH1F63BFQGy/eSfa1B4GbSC0nO9Q85uur1iwQ6C0UDs+qwoJ71QHvsq6pC
R1NFJSozvktmwnjwtzeWqNsehUjcI9lrGLghPXr3snchu+3sGi1Xy8pB/KV0d/fd
fZ7xgCqeZ4wIS4fVdnMl82EndODv8PQgFfdO3PDEC2KBaJuXhUCx+rIqu+woz1as
DfmhuugqRQy1ZkNBbDMK97ESGu+/nHK7CmTc3ul0AfkX+KcxG4yu9Htu4d15dPAM
8Pmp/KJOw8Gt8dJebWXZrLNpW7z7rFOeSacOwAl+9KKP/G+AupTt6iwIj5W34Tr+
euoWoB08WY+YjGeG/YceN6DezhtbbVaN63/oZxbzsJhqpHjSeFKEuJpDFQnVN1/J
E8VEfD1shagx8+oGfPZkF/v+PSLlxuKYiau3EznUWBScvncW1Cq7v4UWyV+r/10a
PGDvrrg0Caffp/lD8kHi/LuZGoqXqTh0XwdTrjtYH2vze5veV79tSIKrK1ONTciY
APyMSwARAQABiQI2BBgBCAAgFiEEMmQQxhPBURc8jH0IDfLL1Id+FzoFAl0u+wEC
GwwACgkQDfLL1Id+FzpA5A/+O9gJmUKKkgQlVBgwdyojyaQ8pFi1/KyaJD7ilyKD
OAgTDdbRGOu9HsCxBQSgtxX0LVIBZ4XZjeyAtYj8N7upb2YKusovsMU1btrKE78D
zQrJD01GRIrOoPipCzEfm6Bl8fxONx62FyhlG7yI/0IwT7qGxWteDFV3lLt7EQs5
mnYEodPqButTWMkNiH2VKF9jpCr62qm0ak6CSRE5TZxyFj+cc1SzXj9OaPerGMak
OXBI7hgHHMJRsmAHhvJTTr1sQaCvjUQmibF0wYeGyeRSUx5cbsMMbnlsiZNU9kCt
Hfcd2r1apb0VOL/V16Kf+ggHAYTGEHcVZ/GCjWkK86JHtBpnfnvT/JjH1Pxnf/MC
75ds6PkrlJhclob78u21560a0czOAXDA8Os7dBwjRN8fUNKHJTW89DzNuaTecreq
lQh2lcJWdxOyymEFfMJFH8eyWhVmaB7Lsq5SzKCowxgzw+zHjt83BICkklTds77s
AOznY1rvxsETdbgXNfXOHQv9rB3fdCz0DW+aF1FtEeXfNvA9LLukNzmNqelqk2Nm
IIrebROeyk89vCOgnaoVOx9nMk0oWpgrvX4kpd4UyBA6fNWsIRcyM79SF3pBx0XP
kp3j3EenRyIPoFI2UyrQoz7eek9jAPTm7ZT0JqucU2JrV35kb9NuZNB3b/jPfmzs
vLw=
=Po3Z
—–END PGP PUBLIC KEY BLOCK—–

GSMA Coordinated Vulnerability Disclosure Programme – Disclaimer

The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.

As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.