Coordinated vulnerability disclosure (CVD) programme

The aim of the CVD programme

We invite both private individuals and organisations to report vulnerabilities to the GSMA in a responsible manner in line with our programme scope.

Where appropriate, CVD submissions and countermeasures are also added to the relevant GSMA reference document. You can find out more about submitting a vulnerability to the programme here.

GSMA regards the security of mobile network infrastructure and customer equipment such as devices, as essential to the provision of secure and trustworthy services by its members.

The GSMA coordinated vulnerability disclosure (CVD) programme gives security researchers a route to disclose a vulnerability impacting the mobile ecosystem meaning the impact can be mitigated before it enters the public domain. We work with mobile operators, suppliers and standards bodies to develop fixes and mitigating actions to protect customers’ security and trust in the mobile communications industry.

The GSMA encourages disclosure of security research which enhances security levels and better protects assets and customers, and our coordinated vulnerability disclosure programme is designed to support the reporting and remediation of security vulnerabilities at industry level.

CVD process

CVD disclaimer

The GSMA responsibilities and any other activities carried out as part of the GSMA Coordinated vulnerability disclosure programme are provided “as is”, without any warranty of any kind. All warranties, whether expressed or implied, or statutory, including without limitation any implied or other warranties of merchantability, fitness for a particular purpose, non-infringement, quality, accuracy, completeness, title or quite enjoyment are expressly disclaimed and excluded.

As this programme is designed to benefit the safety of mobile networks and users, the CVD Governance Team, the GSMA, its staff and members do not warrant or assume any liability for the responsibilities of this programme, or ‘validation of submissions’ and any other activities or milestones set forth by the GSMA. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

Owners or providers of an offering that has been identified by a finder as having a vulnerability will only be given details of such vulnerability under this programme. The vulnerability must be validated in accordance with the GSMA Coordinated vulnerability disclosure process.

GSMA Operator, Associate and Rapporteur Members interested in applying to join the CVD panel of experts can find out more details here.

Security research acknowledgements

CVD programme assets