GSMA Coordinated Vulnerability Disclosure (CVD)

Wednesday 29 May 2019 | Build | Concept | Deployment | Design and Development | Operational |

The GSMA Coordinated Vulnerability Disclosure (CVD) Programme provides a formal structure for security researchers and similar parties to disclose details of security vulnerabilities affecting the mobile industry, and allow the mobile industry to consider and develop fixes and mitigating actions for these vulnerabilities before researchers disclose information publicly.

Audience:  Technical security practitioner

Resource technology specifics: Generic, User equipment, Radio access network (RAN), Core network, UICC/eUICC/iUICC

Resource type: Process or procedure

Resource enforcement: Voluntary

Advantage Disadvantage
  • The programme accepts vulnerability submissions from GSMA members and the public alike.
  • Provides a method to confidentially work on a reported mobile industry vulnerability which does not have a MNO or vendor to mitigate it.
  • The programme respects researchers who wish to submit their findings to a conference or publication which asks to be the first public announcement of findings.
  • Reliant on the good will of security researchers to disclose to the GSMA and work with us to resolve an issue.
  • Conflicts of interest may arise which could jeopardise the ‘coordinated’ aspect.
Read more about GSMA CVD