An introduction to the CVD programme

GSMA regards the security of mobile network infrastructure and customer equipment such as devices, as essential to the provision of secure and trustworthy services by its members.

The GSMA Coordinated Vulnerability Disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.

The GSMA encourages disclosure of security research which enhances security levels and better protects assets and customers, and our Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.

We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our programme scope.

You can find out more about submitting a vulnerability to the programme here.

Let’s hear from David Rogers, FASG chair on why the CVD programme is important:

Impact of the GSMA CVD Programme

Since our CVD Programme started in 2017 we have considered over 70 vulnerability disclosures, many encapsulating multiple linked vulnerabilities. The technologies have included:

  • 2G, 3G, 4G and 5G radio and core networks including Circuit Switched Fallback, IP Multimedia Subsystem, authentication, encryption & unique identifiers
  • SIM cards and SIM applets
  • Roaming and interconnect
  • VoLTE
  • Wireless Emergency Alerts

The GSMA CVD programme has allowed the industry to improve security in a number of ways thanks to researchers bringing their research on vulnerabilities to the programme prior to public release.

Recent examples include:

  • Removal of weak GPRS encryption algorithms from devices and adding respective device test-cases for new devices, prior to the public release of research identifying the weakness. Update of 3GPP specifications within a week of the release of the research (usually takes several months) – research.
  • Mandatory inclusion of full-rate user-plane integrity protection for 5G from 3GPP Rel-16, providing protection for an estimated 395 million additional 5G devices – research.
  • Issuing of patches to prevent keystream reuse by network equipment that did not follow the standards, prior to public presentation of the research. Also included a new SCAS test for this behaviour during NESAS audits – research.
  • Inform MNOs about the exploitation of SIM cards with a vulnerable applet installed and issue guidance to prevent misuse – research.

Where appropriate, CVD submissions and countermeasures are also added to the relevant GSMA reference document.

GSMA Coordinated Vulnerability Disclosure Programme – Disclaimer

The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.

As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.

GSMA Operator, Associate and Rapporteur members interested in applying to join the CVD Panel of Experts can find out more details here.

Contact us for information about the GSMA CVD Programme

[email protected]