GSMA Coordinated Vulnerability Disclosure (CVD) Programme

Welcome to the GSMA Coordinated Vulnerability Disclosure Programme

The GSMA Coordinated Vulnerability Disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.

Please find further information below, in the GSMA permanent reference document FS.23, or GSMA members can search for ‘CVD’ on GSMA InfoCentre2.

Overview of the GSMA CVD Programme

GSMA regards the security of mobile network infrastructure and customer apparatus, such as devices and smart cards, as essential to the provision of secure and trustworthy services by its members. The GSMA recognises the need for industry to have in place processes that are capable of dealing with and handling disclosures about potential security vulnerabilities that could impact the industry and its customers.

The GSMA welcomes security research designed to enhance security levels to better protect assets and customers and its Coordinated Vulnerability Disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.

We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our CVD programme scope.

Full details about the GSMA CVD Programme can be found in the document FS.23.

Scope

The scope of the CVD Programme is security vulnerabilities that impact the mobile industry, primarily open standards based technologies.

The following items are out of scope for the CVD Programme.

  • Research or information on a vulnerability which has previously been made public. Research or information on a vulnerability which is already in the public domain is out of scope for inclusion in the Hall of Fame, but may be considered through the CVD Programme in order to develop remediations.
  • Services or products provided by a single Manufacturer or Manufacturer group, these should be reported to the relevant Manufacturer.
  • Services or products provided by a single company or group of companies. These should be reported to the relevant company.
  • Submissions by GSMA Members, Associate Members and Rapporteurs where they are working on the topic as part of an Activity. These should be reported through the relevant Activity.

For vulnerabilities in GSMA websites or services please see here.

Research Expectations

The GSMA is grateful to Reporters who afford us the opportunity to consider their findings, liaise with the industry and define remediation and mitigation actions. However, participation in the CVD Programme requires that Reporters do not engage in activities that violate any local legislation or regulations and third party rights.

Reporters are asked to:

  • Not abuse the reported vulnerability. For example, downloading more data than is necessary to demonstrate the vulnerability, or changing/deleting live systems, settings or data.
  • Exercise caution and restraint with regard to personal data and not intentionally engaging in attacks against third parties, social engineering, denial-of-service attacks, spamming or otherwise causing a nuisance to other users.

If there is any doubt, please contact security@gsma.com.

How to Submit

There are two ways of submitting to the GSMA CVD programme: You can download the submission form in Microsoft Word or Text version format and send it back to the GSMA; or you can fill an online form (see further below).

We request finders to describe the vulnerability on the submission form, including:

  • Identification of the vulnerable target(s)
  • A description of the vulnerability
  • Operations carried out to exploit the vulnerability

This is usually sufficient information to enable the GSMA to consider the vulnerability and will allow for verification and identification of possible remediations. A Proof-of-Concept (POC) or more detailed description may be requested in the case of complex vulnerabilities.

The GSMA may ask a Reporter for more information throughout the consideration process.

Submission Forms

Submission Form - Word Version
Submission Form - Text Version

Once you have completed this template, you should submit it by email to the GSMA on security@gsma.com.

The GSMA recommends that all vulnerability disclosure submissions are encrypted, but use of encryption is at the discretion of the finder.


PGP Details:

—–BEGIN PGP PUBLIC KEY BLOCK—–
mQINBF0u+wEBEADnrRfptM/B7SRLGY/RXtKjWtNUblktEDOHd9j4z25pfe8rUsfw
bnAkAzia12pPCm7ggxmw2loqvUZGKm7azq5IacQ05719qDJAqb4jO00b1460+x28
LOtOuS9buzwd0TfzuVo/t8f9/MUW+Tb8S16DQsF8/dKGKpMk4+PdGtnUXmjscPzt
SKS75jGr9sdifBeDz98DALsfTXKrTesdyRdnDnyP+B77emzgHwqQ5yVxq/50ccLZ
QtEiUpNE4bJrmeYOUBd+ClpbyQJyCFR/wqSg15U3jqMxoqu+/S44JWxHQFjxBYx2
JBh4vHdyRTLSLbFJiCIonf3qU3AkeGRPMsE9W/rFfXC6XWKzV65GqQSUmbO+2V3M
ZqS5XB+chmSql6P9Sbfepibb+cq7fFViW57XBE37Pmkmj9JPZC6RALqLGrDcNl6y
wmRNy1uQBYxKQ2Vq8UMLobPN7g5P2Zq27dmGZM41ueh7H+lK+Lx3QRqT4FBUYSCs
VXMx3D9b/adT46D9cDHh4UU+dAQv98GXtKi6MfBSnwTGVFYuPl3lclGJSzS/Fby0
/0RLZUsCYvXuiLbyl8IWl2m26GcWhB7/SONnXHWcaJjf+vzZSceJcSCBnWaMMYbT
n2wcod3ed/mxjx/uvltVlHPZyXjD2xUQ9X+byC9ekIUTAQP8NM5ZCxCjqQARAQAB
tCZqc2t1c2UgKEphbWVzIFNrdXNlKSA8anNrdXNlQGdzbWEuY29tPokCTgQTAQgA
OBYhBDJkEMYTwVEXPIx9CA3yy9SHfhc6BQJdLvsBAhsDBQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJEA3yy9SHfhc6u4EP/3iIFbLuVRCVcT+G+bgQwH+C6ysMzRg3
JBWVWyVCU0mxFu5Tc9Q0ddr5e9YqZWymFqAIF11a3VuiEpMZ6POSDa2ca6DSAU1a
S3h7ywxmRl0jhcHckLHWzKcWDL9uS0g3DNaYI3eu0CHkukiBBm8bupIy6mwAeAFO
BXWioUbvJXrGyhBHTAwT1WpNcdIWwtLXhGLdfe5ndXp0514Le5fAVMDe26aKRLwz
SJ92d/qRY+l30doUCWADD6eone5tgCbudVuETXPsM0+JoBUQPHHq1pqVxJVFr1Pa
P/VAtsn73a9aQfApB95zn23Fwh2bokmiGSrXxCBbRdxysnNU2XxcoryANrcDbiXq
9VfZgkNz/aNYAsDS8aPdv0ip39EmZjbKkZHANzZi+bn4cEjK6iCNB80xCvAjcO4W
O+LH6J6WtlZDVZCoK36pbSoCCYK6zisCvRarQgcNxnrlj/njhLSETswGP545Dp6a
XFfVAzSdCkLDr+dF7m4cgyZP2Z9liolNlWuye//E5IMfJhXwo9FMd8jSFpT9TIdw
puQI3UI4fGUyszAQnupdUwP/ahpfqXP5aeCEgc5KGCw6n6RtV3B762Tgg8tV4IMG
AX69OE0bXaXyPDvkdyoxp1lnd1mKQ3UY/ueuErizFnUSgYN0eXs2F7lqcj62QprI
S0M5hAKNHroXuQINBF0u+wEBEADUmqzUKxLwQlSX2jBRATdKDBVL3FASk65q5jK/
Oo6LfQA2tAoXmK1lvTyTl/vNGUwylD+zhLQujf1vVPPXDuP1zWdZJ03eY8AxUNLZ
hv/aqAmmRg7xWh7ObuMNH83QxjQUxFiw5uEjJ1NXdMtiE2y71aYzJvbNDjtXfPGz
sDTZ2PFH1F63BFQGy/eSfa1B4GbSC0nO9Q85uur1iwQ6C0UDs+qwoJ71QHvsq6pC
R1NFJSozvktmwnjwtzeWqNsehUjcI9lrGLghPXr3snchu+3sGi1Xy8pB/KV0d/fd
fZ7xgCqeZ4wIS4fVdnMl82EndODv8PQgFfdO3PDEC2KBaJuXhUCx+rIqu+woz1as
DfmhuugqRQy1ZkNBbDMK97ESGu+/nHK7CmTc3ul0AfkX+KcxG4yu9Htu4d15dPAM
8Pmp/KJOw8Gt8dJebWXZrLNpW7z7rFOeSacOwAl+9KKP/G+AupTt6iwIj5W34Tr+
euoWoB08WY+YjGeG/YceN6DezhtbbVaN63/oZxbzsJhqpHjSeFKEuJpDFQnVN1/J
E8VEfD1shagx8+oGfPZkF/v+PSLlxuKYiau3EznUWBScvncW1Cq7v4UWyV+r/10a
PGDvrrg0Caffp/lD8kHi/LuZGoqXqTh0XwdTrjtYH2vze5veV79tSIKrK1ONTciY
APyMSwARAQABiQI2BBgBCAAgFiEEMmQQxhPBURc8jH0IDfLL1Id+FzoFAl0u+wEC
GwwACgkQDfLL1Id+FzpA5A/+O9gJmUKKkgQlVBgwdyojyaQ8pFi1/KyaJD7ilyKD
OAgTDdbRGOu9HsCxBQSgtxX0LVIBZ4XZjeyAtYj8N7upb2YKusovsMU1btrKE78D
zQrJD01GRIrOoPipCzEfm6Bl8fxONx62FyhlG7yI/0IwT7qGxWteDFV3lLt7EQs5
mnYEodPqButTWMkNiH2VKF9jpCr62qm0ak6CSRE5TZxyFj+cc1SzXj9OaPerGMak
OXBI7hgHHMJRsmAHhvJTTr1sQaCvjUQmibF0wYeGyeRSUx5cbsMMbnlsiZNU9kCt
Hfcd2r1apb0VOL/V16Kf+ggHAYTGEHcVZ/GCjWkK86JHtBpnfnvT/JjH1Pxnf/MC
75ds6PkrlJhclob78u21560a0czOAXDA8Os7dBwjRN8fUNKHJTW89DzNuaTecreq
lQh2lcJWdxOyymEFfMJFH8eyWhVmaB7Lsq5SzKCowxgzw+zHjt83BICkklTds77s
AOznY1rvxsETdbgXNfXOHQv9rB3fdCz0DW+aF1FtEeXfNvA9LLukNzmNqelqk2Nm
IIrebROeyk89vCOgnaoVOx9nMk0oWpgrvX4kpd4UyBA6fNWsIRcyM79SF3pBx0XP
kp3j3EenRyIPoFI2UyrQoz7eek9jAPTm7ZT0JqucU2JrV35kb9NuZNB3b/jPfmzs
vLw=
=Po3Z
—–END PGP PUBLIC KEY BLOCK—–


Online form

To submit documents or other attachments in addition to the information in this form, please email these to security@gsma.com.




















GSMA Coordinated Vulnerability Disclosure Programme – Disclaimer

The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated Vulnerability Disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.

As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ”Validation of Submissions” and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

Owners or providers of an offering that has been identified by a Finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated Vulnerability Disclosure process.