The GSMA Coordinated Vulnerability Disclosure Programme was founded in 2017 to help security researchers report security vulnerabilities and to enable the mobile telecommunication ecosystem to respond to and resolve reported vulnerabilities. Since its introduction, the programme has considered over 100 vulnerability disclosures with 53 reports being formally acknowledged as increasing the security posture of the mobile industry.
Every year since the programme was started the GSMA has hosted an annual review of the scheme. The review is undertaken by the programme’s Panel of Experts and provides an opportunity to review the programme’s performance and impact over the past 12 months, as well as an opportunity to look ahead at how the programme should evolve to fulfil future industry needs. This year’s review was completed on the 5th June 2025.
Overview of GSMA CVD Programme
The GSMA CVD Programme provides security researchers with a trusted and structured pathway to report vulnerabilities affecting the mobile ecosystem. This approach enables the identification and mitigation of potential threats before they become public, helping to safeguard the security and integrity of mobile networks worldwide.
Through collaboration with mobile operators, vendors, and standards bodies, the GSMA works to develop effective fixes and mitigation strategies that protect customers and uphold trust in mobile communications.
The GSMA actively encourages responsible disclosure of security research, recognising its vital role in strengthening industry-wide defences and enhancing the protection of assets and users. The CVD Programme is purpose-built to support this process, enabling coordinated reporting and resolution of vulnerabilities at scale.
GSMA CVD Programme Panel of Experts
The Panel of Experts (PoE) is the group of subject matter experts from GSMA member organisations who assess the risks posed by reported vulnerabilities and consider options for remediation of the vulnerabilities submitted to GSMA via the CVD programme. The PoE comprises members from a broad cross-section of the mobile industry and they sit on the panel in their personal capacity as subject matter experts, as opposed to representing their employers. PoE activities include technical analysis of vulnerabilities, assessing the impact of submissions, suggesting remediation options and contributing to advisories relating to the vulnerabilities.
The PoE also review the performance and impact of the programme and the highlights noted during this year’s annual review were:
- Successful Year for the Programme – The panel reviewed the programme’s performance over the past 12 months. In that period the scheme added 3 new acknowledgements to the GSMA website. The panel noted that the feedback received from security researchers over this period was very positive and the programmes KPI’s for responding to submissions had been met. The panel concluded that the programme was in good health and had provided significant value to the industry.
- NCSC Internship Supports GSMA CVD Programme – In 2024, an undergraduate from the UK’s National Cyber Security Centre (NCSC) successfully completed an analysis project during an internship at the GSMA. The objective was to gather publicly available mobile vulnerability research and assess whether it fell within the scope of the GSMA CVD Programme. The project aimed to identify research that may not have been reaching the GSMA CVD process, with the intention of proactively engaging those researchers and promoting responsible disclosure. The ultimate goal is to provide the mobile industry with early visibility of emerging vulnerabilities, helping to reduce the risk of zero-day exploits. The Panel of Experts reviewed the findings, welcomed the insights, and supported the continuation and expansion of this analysis in future efforts.
- PoE Skill Sets Remain Strong and Well-Balanced – Following the latest recruitment phase in Autumn 2024, which welcomed new talent to the expert panel, the overall skillset of the Panel of Experts (PoE) was reviewed. The assessment concluded that the panel maintains a robust and well-balanced range of expertise, effectively covering all key areas of current mobile network technology. However, it was noted that emerging areas such as mobile money and artificial intelligence (AI) should be monitored closely, with a view to strengthening expertise in these domains if their relevance continues to grow.
Get Involved with the GSMA Coordinated Vulnerability Disclosure (CVD) Programme
There are multiple ways to participate in the GSMA CVD Programme—whether you’re a security researcher looking to report a vulnerability or a GSMA member interested in joining our Panel of Experts.
- For Security Researchers
We welcome vulnerability submissions from both individuals and organisations. If you have identified a security issue affecting the mobile ecosystem, you are encouraged to report it responsibly in line with the scope of our programme. Detailed guidance on how to submit a vulnerability can be found here. - For GSMA Member Experts
If you are a mobile telecommunications security professional working for a GSMA member organisation, you are invited to apply for a position on the CVD Panel of Experts. The next scheduled recruitment round is planned for late 2026, though occasional ad-hoc opportunities may arise. You can register your interest here.
For any questions about the programme or to express interest in joining the panel, please contact us at cvd@gsma.com .