Welcome to the GSMA Coordinated Vulnerability Disclosure Programme
The GSMA Coordinated Vulnerability Disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.
Please find further information below, in the GSMA permanent reference document FS.23, or GSMA members can search for ‘CVD’ on GSMA InfoCentre2.
GSMA Operator, Associate and Rapporteur members interested in applying to join the CVD Panel of Experts can find out more details here.
Overview of the GSMA CVD Programme
GSMA regards the security of mobile network infrastructure and customer apparatus, such as devices and smart cards, as essential to the provision of secure and trustworthy services by its members. The GSMA recognises the need for industry to have in place processes that are capable of dealing with and handling disclosures about potential security vulnerabilities that could impact the industry and its customers.
The GSMA welcomes security research designed to enhance security levels to better protect assets and customers and its Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.
We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our CVD programme scope.
Full details about the GSMA CVD Programme can be found in the document FS.23.
The scope of the CVD Programme is security vulnerabilities that impact the mobile industry, primarily open standards based technologies.
The following items are out of scope for the CVD Programme.
- Research or information on a vulnerability which has previously been made public. Research or information on a vulnerability which is already in the public domain is out of scope for inclusion in the Acknowledgements page, but may be considered through the CVD Programme in order to develop remediations.
- Services or products provided by a single Manufacturer or Manufacturer group, these should be reported to the relevant Manufacturer.
- Services or products provided by a single company or group of companies. These should be reported to the relevant company.
- Submissions by GSMA Members, Associate Members and Rapporteurs where they are working on the topic as part of an Activity. These should be reported through the relevant Activity.
For vulnerabilities affecting one manufacturer or network please contact them directly – some vulnerability disclosure programmes from GSMA members can be found here.
For vulnerabilities in GSMA websites or services please see here.
The GSMA is grateful to Reporters who afford us the opportunity to consider their findings, liaise with the industry and define remediation and mitigation actions. However, participation in the CVD Programme requires that Reporters do not engage in activities that violate any local legislation or regulations and third party rights.
Reporters are asked to:
- Not abuse the reported vulnerability. For example, downloading more data than is necessary to demonstrate the vulnerability, or changing/deleting live systems, settings or data.
- Exercise caution and restraint with regard to personal data and not intentionally engaging in attacks against third parties, social engineering, denial-of-service attacks, spamming or otherwise causing a nuisance to other users.
If there is any doubt, please contact firstname.lastname@example.org.
How to Submit
There are two ways of submitting to the GSMA CVD programme: You can download the submission form in Microsoft Word or Text version format and send it back to the GSMA; or you can fill an online form (see further below).
We request finders to describe the vulnerability on the submission form, including:
- Identification of the vulnerable target(s)
- A description of the vulnerability
- Operations carried out to exploit the vulnerability
This is usually sufficient information to enable the GSMA to consider the vulnerability and will allow for verification and identification of possible remediations. A Proof-of-Concept (POC) or more detailed description may be requested in the case of complex vulnerabilities.
The GSMA may ask a Reporter for more information throughout the consideration process.
Once you have completed this template, you should submit it by email to the GSMA on email@example.com.
The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.
—-BEGIN PGP PUBLIC KEY BLOCK—-
—-END PGP PUBLIC KEY BLOCK—-
To submit documents or other attachments in addition to the information in this form, please email these to firstname.lastname@example.org.
GSMA Coordinated Vulnerability Disclosure Programme – Disclaimer
The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.
As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.
Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.