Welcome to the GSMA Coordinated Vulnerability Disclosure Programme
The GSMA Coordinated Vulnerability Disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.
Please find further information below, or GSMA members can search for ‘CVD’ on GSMA InfoCentre2.
GSMA regards the security of mobile network infrastructure and customer apparatus, such as devices and smart cards, as essential to the provision of secure and trustworthy services by its members. The GSMA recognises the need for industry to have in place processes that are capable of dealing with and handling disclosures about potential security vulnerabilities that could impact the industry and its customers.
The GSMA welcomes security research designed to enhance security levels to better protect assets and customers and its Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.
Security researchers that discover vulnerabilities or weaknesses in mobile systems, that are not proprietary in nature, are welcome to contact the GSMA, which is pleased to receive such details so that the impact and mitigation options can be considered.
We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our CVD programme scope and objectives.
In order for a disclosure to be eligible for submission under GSMA’s Coordinated Vulnerability Disclosure programme the identified security vulnerability must not only apply to vendor specific technologies or services. Such issues should be reported to the vendors in question.
Disclosures to GSMA must focus on open standards based technologies which are not proprietary to a specific vendor but that are used across, or have significant impact on, the mobile industry (e.g. including but not limited to protocols specified by IETF, ITU, ISO, ETSI, 3GPP, GSMA etc.)
For disclosures regarding GSMA assets please click here.
We request you to:
- Email your findings using the GSMA CVD report format below, If desired, submissions can be encrypted using GSMA’s GPG Key.
- Do not abuse the vulnerability by, for example, downloading more data than is necessary to demonstrate the leak, or by changing or deleting data.
- Exercise caution and restraint with regard to personal data and not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks or spamming or otherwise causing nuisance to other users.
- Do not share information about the vulnerability with others until it has been resolved in accordance with the GSMA’s CVD policy timeframes.
- Provide a Proof-of-Concept (POC) and / or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.
What we will do:
- Respond within 10 working days to all submitted reports with an acknowledgement and initial appraisal of the information provided by the finder. There may be times where remediation is not a possible option, for a variety of reasons. The GSMA will assess if remediation is possible, and by when. It will keep the finder informed of the progress of any remediation action.
- Treat submitted reports confidentially and will not share the finder’s personal details with third parties without their authorisation, unless required to do so in order to comply with legal obligations.
- Accept anonymous or pseudonymous reports but finders choosing to engage in this way should be aware that the GSMA cannot confidently contact them concerning, for example, the steps taken, progress in remediating the reported vulnerability and publication of the vulnerability.
- If acceptable to the finder, the GSMA will credit those that submit reports of discovered vulnerabilities. The GSMA will, where appropriate, recognise disclosures by naming the finders on its Mobile Security Research Hall of Fame on GSMA’s website. Entry to the Mobile Security Research Hall of Fame will be determined by the GSMA on a case-by-case basis and eligibility will depend on factors such as the efficacy of the research, the accuracy of the vulnerability claims, the quality of the report submitted, the severity and global applicability of the vulnerability, etc.
- Resolve all submitted reports as quickly as possible, to keep all involved parties informed and participate in the publication of details pertaining to remedied vulnerabilities.
There are two ways of submitting to the GSMA CVD programme: You can download the forms in Microsoft Word or Text version format and send it back to the GSMA; or you can fill an online form (see further below).
Downloading a document
The vulnerability should be described using one of the templates below:
Once you have completed this template, you should submit it by email to the GSMA on firstname.lastname@example.org.
The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–
Filling in an online form
GSMA Coordinated Vulnerability Disclosure Programme – Disclaimer
The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.
As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.
Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.