
Coordinated vulnerability disclosure (CVD) programme
Supporting researchers and the wider ecosystem resolve vulnerabilities and protect customer security
The aim of the CVD programme
We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner that is in line with our programme scope.
Where appropriate, CVD submissions and countermeasures are also added to the relevant GSMA reference document. You can find out more about submitting a vulnerability to the programme here.
GSMA regards the security of mobile network infrastructure and customer equipment such as devices, as essential to the provision of secure and trustworthy services by its members.
The GSMA coordinated vulnerability disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.
We encourage disclosure of security research which enhances security levels and better protects assets and customers, and our coordinated vulnerability disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.
CVD process

GSMA Member CVD programme
The GSMA CVD Programme addresses security vulnerabilities impacting the mobile industry, with a focus on open standards-based technologies. Vulnerabilities affecting the services or products of a specific manufacturer or company should be reported directly to that organisation.
Researchers looking to report a company-specific vulnerability can consult the list of company CVD programmes available here. If the company you wish to contact is not listed, please reach out to us at [email protected], and we will try to assist you.
CVD disclaimer
The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated vulnerability disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.
As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ‘validation of submissions’ and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.
Owners or providers of an offering that has been identified by a finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated vulnerability disclosure process.
GSMA Operator, Associate and Rapporteur Members interested in applying to join the CVD panel of experts can find out more details here.

Security research acknowledgements

CVD programme assets
Please note: Recognition in the Mobile Security Research Acknowledgements page is for identifying vulnerabilities which affect mobile industry standards and services, NOT for those pertaining to GSMA Assets listed below.
This is not a bug bounty programme, consequentially GSMA does not offer any rewards for submitted vulnerabilities of this type.
- GSMA Websites
- InfoCentre
- Device Database
- Device Check
- Device Map
- Pathfinder
- Event Systems and Services
- RAEX
- Pegged Exchange
We invite private individuals and organisations to report vulnerabilities identified in GSMA assets.
Please note:
This is not a bug bounty programme, consequentially GSMA does not offer any rewards for submitted vulnerabilities of this type.