0% found this document useful (0 votes)

103 views

GSMA Coordinated Vulnerability Disclosure Program 16 July 2020

Ggg yada

Uploaded by

Roei Zohar

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

103 views

GSMA Coordinated Vulnerability Disclosure Program 16 July 2020

Ggg yada

Uploaded by

Roei Zohar

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 32

GSM Association Non-confidential

Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

GSMA Coordinated Vulnerability Disclosure Program

Version 3.0
16 July 2020

This is a Non-binding Permanent Reference Document of the GSMA

Security Classification: Non-confidential

Access to and distribution of this document is restricted to the persons permitted by the security classification. This document is confidential to the
Association and is subject to copyright protection. This document is to be used only for the purposes for which it has been supplied and
information contained in it must not be disclosed or in any other way made available, in whole or in part, to persons other than those permitted
under the security classification without the prior written approval of the Association.

Disclaimer
The GSM Association (“Association”) makes no representation, warranty or undertaking (express or implied) with respect to and does not accept
any responsibility for, and hereby disclaims liability for the accuracy or completeness or timeliness of the information cont ained in this document.
The information contained in this document may be subject to change without prior notice.

Antitrust Notice
The information contain herein is in full compliance with the GSM Association’s antitrust compliance policy.

V3.0 Page 1 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Table of Contents
1 Introduction 4
1.1 Overview 4
1.2 Definition of Terms 4
1.3 Abbreviations 5
1.4 References 6
2 GSMA CVD Policy 7
2.1 Scope of the GSMA CVD Programme 7
2.1.1 In Scope 7
2.1.2 Out of Scope 7
2.2 Reporting a vulnerability to the GSMA 7
2.2.1 Timings 7
2.3 Disclosure 8
2.4 Credit to Reporter 8
2.5 Research Expectations 8
3 General 9
3.1 Document scope 9
3.2 Programme Goals 9
4 The Panel of Experts 9
4.1 Make-up of the Panel of Experts 9
4.2 Joining the Panel of Experts 10
4.3 Period of appointment and removal from the Panel of Experts 11
5 CVD Submission and Consideration Process 12
5.1 Submission by Reporter 12
5.2 Validation and acknowledgement of a Submission 12
5.3 Formation of a Submission Consideration Group and consideration of a
Submission 13
5.4 Informing the Reporter of the SCG’s decision 13
5.5 Remediation, including creation of advisories and outputs 13
5.6 Ongoing communication 14
5.7 Closedown of Submission 14
5.7.1 Mobile Security Research Hall of Fame 15
5.8 Updating of Submission 15
5.9 Submission disputes 15
6 Roles and Responsibilities 16
6.1 CVD Director Responsibilities 16
6.2 GSMA CTO Responsibilities 17
6.3 Panel of Experts Member Responsibilities 17
6.4 Submission Consideration Group Responsibilities 18
7 Programme review 19
7.1 Quarterly Conference Call 19
7.2 CVD Programme Annual Review 19
8 Reporting 19

V3.0 Page 2 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

8.1 Monthly reporting 19

9 Disclosure and confidentiality 20
Annex A GSMA CVD History 21
Annex B CVD Document Templates 22
B.1 Email Format 22
B.2 Word Template 23
B.3 CVD Close Down Template 24
B.4 Example Panel of Experts (PoE) Application Form 25
Annex C Individual Non-Disclosure Agreement 27
Annex D Document Management 32
D.1 Document History 32
D.2 Other Information 32

V3.0 Page 3 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

1 Introduction

1.1 Overview
Coordinated Vulnerability Disclosure (CVD) of security vulnerabilities is a well-established
process which allows people or groups, such as security researchers, to report details of
security vulnerabilities in products and services. The GSMA CVD programme provides a
framework that sets clear expectations for constructive engagement by all parties to
remediate or mitigate notified vulnerabilities.

The early disclosure of vulnerabilities can help to protect end users, allowing manufacturers
and providers of products and services to address security issues before public disclosures
are made.

The GSMA operates a programme for CVD (“CVD Programme”) to better protect mobile
industry systems, mobile users and the wider industry ecosystem. The GSMA’s CVD
Programme does not consider vulnerabilities affecting an individual manufacturer or
operator, but deals with security vulnerabilities that impact the mobile industry as a whole.
This means that vulnerabilities which are non-manufacturer specific can be reported,
remediation options considered and actioned.

This document, and its associated components, has been built around best practice
recommendations contained in ISO/IEC 27001:2013 [1] and ISO/IEC 29147:2018 [2]
pertaining to the handling and communication of disclosures, and The CERT® Guide to
Coordinated Vulnerability Disclosure [3][3]. Because GSMA’s CVD Programme is pan-
industry, it does not align with all aspects within these recommendations, which focus on
programmes run by individual manufacturers or providers of services.

1.2 Definition of Terms

Term Description
Any activity undertaken by an Association’s project, forum, task force or
Activity
any other group constituted in accordance with the Articles of Association.
An individual or organisation that performs a set of activities including
identifying and engaging stakeholders, mediating, communicating, and
Coordinator
other planning in support of vulnerability disclosure. The CVD Director
takes on this role in the GSMA CVD Programme.
CVD Director The director of the CVD Programme as appointed by the GSMA.
A technique that takes advantage of a security vulnerability to cause
Exploit
unintended or unanticipated behaviour to occur.
The subgroup of the GSMA’s Fraud and Security Group that is focussed
Fraud and Security
on the protection of networks and smart cards, and engagement with
Architecture Group
researchers to realise improved security levels.
The GSMA’s Group which leads the mobile industry’s management of
fraud and security matters related to mobile technology, networks and
Fraud and Security
services, with the objective to maintain or increase the protection of mobile
Group [10]
operator technology and infrastructure, customer identity, security and
privacy such that consumers are protected from harm, the industry’s

V3.0 Page 4 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Term Description
reputation stays strong and mobile operators remain trusted partners in
the ecosystem.
GSMA Members,
Members, Associate Members or Rapporteurs of the GSMA in accordance
Associate Members
with the articles of association and regulations governing the GSMA.
and Rapporteurs
One or multiple related and identified occurrences indicating a possible
Incident breach of information security or failure of controls that can harm an
organisation's assets or compromise its operations.
The individual or organisation that develops a product or service or is
responsible for its maintenance. This includes an individual or organisation
Manufacturer
such as a commercial business or an organisation that delivers software or
services for free.
The minimum information about a vulnerability as is required to satisfy the
Minimum viable legal or regulatory notification requirement. This is considered to be
details information required to prevent an Incident from occurring rather than
revealing information about the vulnerability.
A workaround or countermeasure that eliminates, or reduces the likelihood
Mitigation
or impact of a successful attack.
The group of experts from GSMA Members, Associate Members and
Panel of Experts Rapporteurs who consider Submissions in their area of expertise, and
review the GSMA CVD Programme.
A change made to a product or service to remove or mitigate a
Remediation
vulnerability.

An individual or organisation that notifies a manufacturer or Coordinator of

Reporter
a potential vulnerability.

The information about a vulnerability that is provided to the GSMA CVD by

Submission
a Reporter.
Submission A group convened by GSMA to consider a specific Submission made up of
Consideration Group the Panel of Experts, Submission Specific Experts and GSMA staff.
An expert in a particular area invited by the GSMA to consider a specific
Submission Specific CVD Submission as part of the Submission Consideration Group. They
Expert may or may not be affiliated with GSMA Members, Associate Members
and Rapporteurs.
A user of a product or service, who may also be referred to as customers,
User
consumers or end users.
The functional behaviour of a product or service that violates an implicit or
Vulnerability
explicit security policy.
Vulnerability The act of initially providing vulnerability information to a party that was not
Disclosure believed to be previously aware.

1.3 Abbreviations
Term Description
CVD Coordinated Vulnerability Disclosure

V3.0 Page 5 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Term Description
FASG Fraud and Security Group
FSAG Fraud and Security Architecture Group
GPG GNU Privacy Guard
ISO International Standards Organisation
POC Proof of Concept
PoE Panel of Experts
SCG Submission Consideration Group

1.4 References
Ref Title Link
ISO/IEC 27001:2013 Information
technology — Security techniques —
[1] https://www.iso.org/standard/54534.html
Information security management
systems — Requirements
ISO/IEC 29147:2018 Information
[2] Technology – Security Techniques – https://www.iso.org/standard/72311.html
Vulnerability Disclosure

The CERT Guide to Coordinated https://resources.sei.cmu.edu/asset_files/Specia

[3]
Vulnerability Disclosure lReport/2017_003_001_503340.pdf

[4] GSMA CVD webpages http://www.gsma.com/cvd/

[5] GSMA Security.txt https://www.gsma.com/.well-known/security.txt

https://www.gsma.com/security/gsma-mobile-
[6] Mobile Security Research Hall of Fame
security-hall-of-fame/

https://infocentre2.gsma.com/gp/wg/FSG/CVD/P
[7] CVD on InfoCentre2
ages/Default.aspx

https://www.gsma.com/aboutus/wp-
[8] GSMA AA.16
content/uploads/2019/08/AA.16-v3.19.pdf

https://www.gsma.com/aboutus/legal/anti-trust-
[9] GSMA Antitrust Policy Statement
policy-statement

https://www.gsma.com/aboutus/workinggroups/fr
[10] Fraud and Security Group aud-security-group

V3.0 Page 6 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

2 GSMA CVD Policy

Through its CVD programme the GSMA aims to cooperate with vulnerability Reporters and
security researchers to better protect mobile industry systems, mobile users and the wider
industry ecosystem.

2.1 Scope of the GSMA CVD Programme

2.1.1 In Scope
The scope of the CVD Programme is security vulnerabilities that impact the mobile industry,
primarily open standards based technologies.

2.1.2 Out of Scope

The following items are out of scope for the CVD Programme.

 Research or information on a vulnerability which has previously been made public.

Research or information on a vulnerability which is already in the public domain is out
of scope for inclusion in the Hall of Fame, but may be considered through the CVD
Programme in order to develop remediations.

 Services or products provided by a single Manufacturer or Manufacturer group, these

should be reported to the relevant Manufacturer.

 Services or products provided by a single company or group of companies. These

should be reported to the relevant company.

 Submissions by GSMA Members, Associate Members and Rapporteurs where they

are working on the topic as part of an Activity. These should be reported through the
relevant Activity.

Vulnerabilities in GSMA websites or services – should be reported to

[email protected].

2.2 Reporting a vulnerability to the GSMA

To make a Submission, Reporters are requested to complete one of the templates found at
www.gsma.com/cvd [4] and email it to [email protected]. GPG encryption is encouraged
but not required, the public key can be found at [4].

Further information is available at www.gsma.com/.well-known/security.txt [5].

During the process, communication with the GSMA is requested to be in English, by email
and through a single main Reporter (Section 5.1 contains more information).

2.2.1 Timings
The GSMA aims to:

 Acknowledge a Reporter’s Submission within 2 working days of receiving a

completed Submission form.

V3.0 Page 7 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

 Make an initial appraisal of the Submission, and provide a response within 10

working days of receiving a completed Submission form.

Depending on the nature of the vulnerability the timescale for remediation will vary; the
default for the GSMA’s response is 90 days. This will be discussed with the Reporter to
manage expectations.

GSMA does not carry out remediation in networks or equipment on behalf of individual
companies, and is not empowered to make changes to standards defined by external
bodies. This remediation work will require additional time, after the steps laid out in Section
5, and will vary between companies.

2.3 Disclosure
The GSMA’s timeline for remediation and public disclosure will be determined by the
vulnerability, the route(s) to remediation, and the scale of remediating actions. The GSMA
will also consider external deadlines the Reporter has committed to such as publications or
conferences.

To assist with coordination, the GSMA requests that Reporters confirm to which other
organisations they have disclosed the vulnerability.

The GSMA will consider whether other organisations are required to carry out remediating
actions. When required, the GSMA will confirm the Reporter is happy for this discussion to
occur, and whether the Reporter wishes to be named in these communications.

As part of the consideration and remediation of a vulnerability, the GSMA may create
advisories and outputs for the benefit of the mobile industry, such as a briefing papers and
statements relating to the vulnerability. These will be shared with the GSMA Members,
Associate Members and Rapporteurs under a confidentiality notice.

2.4 Credit to Reporter

If appropriate and acceptable to the Reporter, the GSMA will recognise disclosures by
naming the Reporters in its publicly hosted “Mobile Security Research Hall of Fame” [6].

Entry to the Mobile Security Research Hall of Fame is determined by the GSMA on a case-
by-case basis. The eligibility criteria for the Mobile Security Research Hall of Fame are found
in Section 5.7.1.

2.5 Research Expectations

The GSMA is grateful to Reporters who afford us the opportunity to consider their findings,
liaise with the industry and define remediation and mitigation actions.

However, participation in the CVD Programme requires that Reporters do not engage in
activities that violate any local legislation or regulations and third party rights.

Reporters are asked to:

1. Not abuse the reported vulnerability. For example, downloading more data than is
necessary to demonstrate the vulnerability, or changing/deleting live systems,
settings or data.

V3.0 Page 8 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

2. Exercise caution and restraint with regard to personal data and not intentionally
engaging in attacks against third parties, social engineering, denial-of-service attacks,
spamming or otherwise causing a nuisance to other users.

If there is any doubt, please contact [email protected].

3 General

3.1 Document scope

This document outlines the policy, process and functions relating to the GSMA CVD
Programme; setting clear expectations for anybody engaging with the process.

3.2 Programme Goals

The GSMA CVD Programme is built around one central goal:

 Protect the mobile telecommunications industry, and consumers, by considering and

managing options available to remediate vulnerabilities affecting mobile
telecommunications before they are disclosed publicly.

To enable this, the Programme’s sub-goals are to:

1. Handle reported vulnerabilities in a coordinated manner with the necessary expertise.

2. Protect the confidentiality and integrity of the process, and submitted research, in
order to retain the confidence of the GSMA CVD Programme.

3. Protect all parties in the process from actual or perceived conflicts of interest.

To achieve these goals the GSMA rely on a specialist group, who use their knowledge to
assess a Submission and consider options for remediation; the Panel of Experts (PoE)
(Section 4).

4 The Panel of Experts

The PoE is a subject matter expert group drawn from individuals working for GSMA
Members, Associate Members and Rapporteurs. This group supports the GSMA deal with
security vulnerabilities submitted to the CVD Programme. Members are chosen by the
GSMA based on their personal skills, capabilities and ability to commit to the Programme.

PoE members commit to work for the benefit of the industry as a whole, rather than to
enable competitive advantage.

Non-GSMA Members, Associate Members and Rapporteurs’ employees or personnel may

be invited on a case by case basis to participate as a Submission Specific Expert.

4.1 Make-up of the Panel of Experts

Alongside a general security mind-set, the GSMA has identified the following areas of
experience and expertise as required for the PoE to collectively have:

V3.0 Page 9 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

 Transport/transmission security
 Radio access network (RAN) security
 Signalling protocol security
 Core network technology security
 Device security
 UICC/eUICC security
 Cryptography
 Internet of Things (IoT) security
 Roaming and interworking security
 Cloud and virtualisation security
 Billing and financial system security
 Protocol analysis/security

It is desirable that each area should be represented by at least two individuals on the PoE.

It would be undesirable for a company or geographic region to be overrepresented on the

PoE. The GSMA aims to have:

 A maximum of two PoE members working for the same organisation, unless
additional members are covering areas of expertise that would otherwise not be
sufficiently represented.
 Representation from a range of geographic regions.

The GSMA FASG Chair is a member of the PoE for the duration of their chairmanship by
virtue of holding the position.

4.2 Joining the Panel of Experts

Individuals working for GSMA Members, Associate Members and Rapporteurs are eligible to
join the PoE.

To apply, applicants should complete the application form found at [4] and send it to
[email protected]. GPG encryption is encouraged but not required, the public key can be
found at [4].

In order to join the PoE, it is the responsibility of the individuals to:

1. Be recognised by the telecommunications industry or academic community as

specialists in a relevant area of mobile telecommunications security

2. Be active contributors to the community in their chosen area of research or expertise

3. Align with GSMA’s organisational objectives and values

Biannually the GSMA will consider all complete applications submitted by the required
deadline to the nominated email. The GSMA will assess individuals’ applications based on
the requirements in this section and Sections 6.3 and 6.4 of this document.

The current application deadline is provided at [4].

V3.0 Page 10 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

To allow outgoing members of the PoE to attend the CVD Annual Review meeting in April,
the application process will begin after this date by announcement to the FASG.

The decision to appoint an individual to the PoE sits with the GSMA. The route of appeal
against the decision not to accept an applicant to the POE is via the GSMA CTO
([email protected]). The appeal must be entered within 5 working days of the
applicant being notified of the GSMA’s decision.

Figure 1 summarises the application process, along with anticipated timelines for the
application process.

Figure 1: PoE application process

4.3 Period of appointment and removal from the Panel of Experts

PoE members are appointed for two years from the date of their official confirmation of
participation by the GSMA, with the ability to re-apply. Should members of the PoE wish to
remain past their two year term, the individual is expected to reapply using the process in
Section 4.2. If no application is received the PoE member’s term will automatically end after
two years.

The GSMA will remind PoE members that their term is due to expire, with sufficient time for
the PoE member to reapply.

If a PoE member stops working for one of the GSMA Members, Associate Members and
Rapporteurs, their appointment to the PoE will lapse, unless they are able to demonstrate
that they will begin to work for another of the GSMA Members, Associate Members and
Rapporteurs within three months.

PoE members may resign at any time by writing to the CVD Director. This will not alter the
application process timeline (see 4.2).

If a PoE member does not meet the responsibilities listed under Sections 4.2, 6.3 and 6.4 of
this document their appointment to the PoE will be reviewed by GSMA which may result in
the member being removed from the PoE.

V3.0 Page 11 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

The route of appeal against the removal from the PoE is via the GSMA CTO
([email protected]). The appeal must be entered within 5 working days of the
applicant being notified of removal.

5 CVD Submission and Consideration Process

5.1 Submission by Reporter

To submit a vulnerability to the GSMA CVD Programme, the Reporter should describe it in
either of the Submission forms available in Annexes B.1 and B.2, also available online at [4],
and email the completed form to [email protected]. GPG encryption is encouraged but
not required, the public key can be found at [4].

The Reporter is requested to describe the vulnerability on the Submission form, including:

 Identification of the vulnerable target(s)

 A description of the vulnerability
 Operations carried out to exploit the vulnerability

This is usually sufficient information to enable the GSMA to consider the vulnerability and will
allow for verification and identification of possible remediations. A Proof-of-Concept (POC) or
more detailed description may be requested in the case of complex vulnerabilities.

The GSMA may ask a Reporter for more information throughout the consideration process.

Reporters agree to:

1. Submit information about vulnerabilities using either of the Submission forms

2. Provide sufficient information in English to enable the GSMA to consider the
Submission
4. Remain actively engaged with the GSMA throughout the consideration process
through one main Reporter
5. Not publicise information about the vulnerability until it has been resolved within the
agreed period, with a default of 90 days
6. Adhere to the expectations in Section 2.5

5.2 Validation and acknowledgement of a Submission

The GSMA aims to contact the Reporter within 2 working days of receipt of the Submission
to thank the Reporter and:

 Where key information is not included on the Submission form, to ask for the missing
information to be added and resubmitted

 Where the Submission form is complete, inform the Reporter of the consideration
process and that it has been sent to the Submission Consideration Group (SCG)

In the case that a Reporter names specific GSMA Members, Associate Members and
Rapporteurs being actively exploited using the vulnerability then the CVD process will define
this as an Incident. In addition to the CVD process the CVD Director will contact the named

V3.0 Page 12 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

party to provide information about the incident, and if feasible may attempt to identify other
(not already named) parties that may also be impacted.

5.3 Formation of a Submission Consideration Group and consideration of a

Submission
Upon receiving a Submission the GSMA will invite the PoE and (on a need-to-know basis)
any additional Submission-Specific Experts or GSMA staff to consider a Submission, forming
a SCG for that specific Submission.

The SCG will decide if a reported vulnerability is admissible to the GSMA’s CVD Programme
based on the scope in Section 2.1 of this document.

They may ask for further information from the Reporter to help their consideration.

5.4 Informing the Reporter of the SCG’s decision

The GSMA will inform the Reporter whether the submitted vulnerability has been accepted,
deemed unsuitable for GSMA CVD, or if the SCG would like more information to reach a
decision.

If it is deemed unsuitable for GSMA CVD, the GSMA will discuss with the Reporter the
SCG’s reasoning and provide this.

GSMA aims for this to take place within 10 working days from the GSMA’s confirmation that
the Submission form is complete and has been shared with the SCG. Regardless of
acceptance, the GSMA will assign the Submission a CVD number (CVD-YEAR-nnnn) and
provide it to the Reporter.

During the consideration of a Submission a member of the SCG may become aware of an
Incident which a law, regulation or contract requires them to report. Under these
circumstances the SCG member agrees to limit the information shared to Minimum viable
details of the incident.

5.5 Remediation, including creation of advisories and outputs

To assist with coordination, the GSMA requests that Reporters confirm to which other
organisations they have disclosed the vulnerability.

The GSMA will consider whether other organisations are required to carry out remediating
actions. When required the GSMA will confirm the Reporter is happy for this discussion to
occur, and whether the Reporter wishes to be named in these communications.

As part of the consideration and remediation of a vulnerability, the GSMA may create
advisories and outputs for the benefit of the mobile industry; such as a briefing paper or
statement relating to the vulnerability. These will be shared with GSMA Members, Associate
Members and Rapporteurs under a confidentiality notice.

The Reporter and SCG will contribute to drafting these documents. Interim publication of
advisories, briefings or other disseminations to GSMA Members, Associate Members and
Rapporteurs will be considered on a Submission-by-Submission basis.

V3.0 Page 13 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

What When For whom Purpose

Briefing Prior to public GSMA Members, To inform GSMA Members, Associate
paper disclosure Associate Members Members and Rapporteurs of the details
and Rapporteurs and remediation routes for a submitted
vulnerability
Reactive Ready for public Inbound media To respond to inbound media enquiries
media disclosure or enquiries about a submitted vulnerability
statement briefing paper
dissemination
Liaison At any point during Standards bodies To inform other organisations of the
Statement consideration responsible for an information required to make a change to
impacted standard a standard to remediate a submitted
vulnerability

Table 1: Typical outputs created by SCG

5.6 Ongoing communication

Ongoing communication and expectation management is a key aspect of CVD programmes.
Setting communication and resolution expectations creates a culture of trust and provides
credibility between GSMA and the Reporter. The timescale will vary between Submissions
but the default is 90 days.

There will be ongoing communication between the GSMA and the Reporter, allowing the
SCG to request further information or provide feedback to the Reporter. In turn, the Reporter
may update the GSMA on any developments.

Where the publication date has not been confirmed, this should be determined during these
communications.

5.7 Closedown of Submission

The Submission is closed when:

 No GSMA action is considered necessary or appropriate in relation to a Submission

deemed unsuitable for GSMA CVD, or

 When an advisory is disseminated in response to an accepted Submission

This is done in discussion with the Reporter.

Remediation of the residual threat from the vulnerability to the industry should be considered
where practically possible.

The closedown template (Annex B.3) will be completed and made available for GSMA
Members, Associate Members and Rapporteurs on the InfoCentre2 CVD group [7], along
with any GSMA outputs, the Submission and the Submission form.

Final decisions regarding inclusion in the Mobile Security Research Hall of Fame [6] should
be made at this point and the Reporter informed of the decision.

V3.0 Page 14 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

5.7.1 Mobile Security Research Hall of Fame

Entry into the Mobile Security Research Hall of Fame is based on the following criteria:

1. Meeting the scope for the CVD Programme (Section 2.15.3 of this document)
2. Impact of the vulnerability
3. Reporter’s engagement with the process

The GSMA reserves the right to remove Reporters from the Mobile Security Research Hall
of Fame if they no longer meet these criteria or subvert the mobile industry’s security efforts.

EXAMPLE Attacks on live networks or other activities which undermine the

confidentiality, availability or integrity of systems would constitute
subversion of the mobile industry’s security efforts.

5.8 Updating of Submission

When further information is provided about a Submission, either directly from the Reporter or
from elsewhere (e.g. the press), the update is noted and provided to the SCG, ensuring the
most comprehensive and up-to-date information is considered. This may result in updated
advisories or outputs being published.

The GSMA monitors the internet for updates to the underlying research, as deemed
appropriate by the PoE. Reporters and GSMA Members, Associate Members and
Rapporteurs are also encouraged to provide GSMA with such updates.

5.9 Submission disputes

If a Reporter and the GSMA cannot reach an agreed position on a Submission it is
recommended that further attempts are made to resolve the issue in a clear and open
manner. Guidance should be provided to the Reporter as to what will happen should no
further agreement be reached, or communication be received.

If the issues cannot be resolved, the discussion should be closed down in a manner that
provides options to resume communications should the Reporter desire this at a later stage.

V3.0 Page 15 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Figure 2: CVD Submission and Consideration Process workflow

6 Roles and Responsibilities

6.1 CVD Director Responsibilities

Role Responsibilities
The CVD Director coordinates between the The CVD Director will:
Reporter, the SCG, and others involved in the  Lead the day-to-day running of the
process; including relevant GSMA staff, GSMA Programme
Members, Associate Members and
 Be the GSMA point of communication for a
Rapporteurs, and other relevant organisations.
Reporter and the route of communication
between the SCG and Reporter
 Uphold the highest standards of ethics and
integrity through their conduct both within
and outside of the CVD process
 Carry out the initial check of a Submission
when it is received by the GSMA

V3.0 Page 16 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Role Responsibilities
 Act as liaison to any GSMA staff function
that needs to be involved in the
Programme
 Approach any Submission Specific Experts
to join a SCG
 Organise all meetings of the PoE and
SCGs
 Administer the PoE application process
including deciding on new members to
appoint to the PoE
 Remove a PoE member who has not
followed the responsibilities listed under
Sections 4.2, 6.3 and 6.4 of this document
 Administer the quarterly PoE conference
calls and the CVD Programme Annual
Review
 Carry out all reporting as listed in Section 8
of this document

Table 2: CVD Director Role and Responsibilities

6.2 GSMA CTO Responsibilities

Role Responsibilities
The GSMA CTO owns the GSMA CVD The GSMA CTO will:
Programme.  Act as the sole route of appeal for
applicants to the PoE who are not
appointed by the CVD Director
 Act as the sole route of appeal for PoE
members removed by the GSMA CVD
Director
 Support the long term funding of the
Programme. This includes support services
that are essential to the smooth running of
the GSMA CVD Programme such as
finance, legal and communications

Table 3: GSMA CTO Role and Responsibilities

6.3 Panel of Experts Member Responsibilities

Role Responsibilities
The PoE consider and remediate a Submission As part of the PoE, it is the responsibility of
as part of a SCG and provide expertise based members to:
on their individual skillsets and experience. The  Individually adhere to the GSMA’s
group also input to the Programme’s overall confidentiality requirements as per Article
strategic roadmap which is delivered through 18.2 of the GSMA Articles of Association
the GSMA. (AA.16) [8]

V3.0 Page 17 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Role Responsibilities
 Work for the benefit of the industry as a
whole rather than to enable competitive
advantage
 Attend the GSMA’s required training
webinar when they are appointed, before
taking part in Submission reviews
 Be actively involved in regular meetings
and contribute to work
 Uphold the highest standards of ethics and
integrity through their conduct both within
and outside of the CVD process
 Provide expertise on vulnerability
disclosure management to support the
GSMA’s CVD Programme
 Take part in the quarterly PoE conference
calls and attend the Annual Review
meeting, where organisational travel policy
permits

Table 4: PoE Role and Responsibilities

6.4 Submission Consideration Group Responsibilities

Role Responsibilities
This group’s role is to consider the vulnerability, It is the responsibility of SCG members to:
its implications, remediation options and the  Assess the admissibility of vulnerabilities in
GSMA’s response to a Submission, and to accordance with the GSMA’s eligibility
actively contribute to all material in Section 5.5. criteria in Section 2.15.3
This includes admission of the Reporter to the
 Suggest appropriate Submission Specific
Mobile Security Research Hall of Fame [6].
Experts to the GSMA CVD Director to
assist with the consideration of
This group may consist of individuals not from Submissions
GSMA Members, Associate Members and  Contribute to the formulation of the
Rapporteurs, referred to as Submission Specific GSMA’s response to each disclosure, see
Experts, in addition to the PoE and GSMA staff. Section 5.5
 Inform the GSMA CVD Director when the
Submission must be shared with others
within their organisation
 Agree to manage a list of who has had
access to the information, to be provided to
the GSMA in case of a suspected breach
of confidentiality
 Inform the GSMA CVD Director where they
believe a breach of confidentiality may
have occurred within their organisation
 Notify the GSMA CVD Director of any
potential or actual conflicts of interest when
considering a Submission, in particular with

V3.0 Page 18 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Role Responsibilities
relation to any disclosures required by law,
regulation or contract
 Not make contact with a Reporter directly
during consideration of a Submission,
unless authorised by the GSMA CVD
Director

In addition to points above Submission Specific

Experts agree:
 Where they do not work for GSMA
Members, Associate Members and
Rapporteurs, to sign and adhere to an
individual GSMA NDA (Annex Annex C)
covering their work on a Submission.
 To adhere to the GSMA’s confidentiality [8]
and antitrust provisions [9] and not use
shared Submissions for competitive
advantage or to the disadvantage of the
industry

Table 5: SCG Role and Responsibilities

7 Programme review

7.1 Quarterly Conference Call

The PoE holds a quarterly conference call to consider the status of Submissions received or
closed within the preceding quarter, any media attention or any non-Submission specific
matters. Communications of this nature may also take place by email.

7.2 CVD Programme Annual Review

The GSMA will hold an Annual Review meeting, usually in April, with the aim to continuously
improve the Programme. All members of the PoE will be invited and topics for consideration
may include:

 Submissions including number received and time taken to consider each Submission
 Feedback from Reporters and other parties
 Expertise gaps within the PoE for next application round consideration
 Suggestions for changes to the Programme

8 Reporting
The GSMA will report on the progress of individual Submissions and to understand the
effectiveness of the Programme as a whole. GSMA groups may request ad hoc reports
about the Programme.

8.1 Monthly reporting

The following will be reported to the PoE and to GSMA staff.

V3.0 Page 19 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

1. Number of Submissions:
a) received that month
b) deemed unsuitable for GSMA CVD that month
c) currently under consideration
d) closed that month (excluding deemed unsuitable for GSMA CVD)
2. The status of Submissions under consideration
3. Any Submissions which have not met the agreed timings for acknowledgement or
initial assessment that month

The CVD Director may report other information or trends that they deem useful for the PoE,
GSMA staff or others.

9 Disclosure and confidentiality

As part of the CVD Programme the GSMA will need to provide information about the
Submission to GSMA Members, Associate Members, Rapporteurs and non-GSMA member
Submission Specific Experts.

This information is shared with these groups on a need-to know basis and subject to the
following confidentiality restrictions:

 The recipient of the information agrees to adhere to Article 18.2 of the GSMA Articles
of Association (AA.16) [8].

 Individuals acting as Submission Specific Experts who are not from GSMA Members,
Associate Members and Rapporteurs will sign and adhere to a personal NDA
(available at Annexe Annex C).

The GSMA will not communicate details of the vulnerability outside of the SCG or GSMA
Members, Associate Members and Rapporteurs without the agreement of the Reporter.

V3.0 Page 20 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Annex A GSMA CVD History

Security vulnerabilities exist in most, if not all, software and hardware products and services.
These are frequently exploited to cause service providers and their customers harm.

A disclosure framework such as a CVD programme, is a key component to encourage

constructive and structured engagement with security researchers. Facilitating early
remediation of vulnerabilities and responsible and controlled public release of the
vulnerability details. Consequently, a CVD programme is an important component of
improving security awareness and readiness for any organisation.

For several years the GSMA supported security researchers to disclose vulnerability details
in a responsible manner on an informal basis, allowing remediation to take place prior to
public disclosure. Based on the success of this informal service the GSMA developed a
formal CVD process to manage industry impacting security issues.

In 2017, the GSMA’s Fraud and Security Group (FASG) [10] defined and supported the
creation of this unique industry focused programme. The service invites security researchers
who have discovered vulnerabilities or weaknesses in mobile systems to disclose details to
GSMA. In turn allowing GSMA member organisations, who are manufacturers and providers
of products and services, to address the identified security issues before public disclosures
enable exploitation.

The GSMA is able to convene industry subject matter experts to assess the research, often
highly technical in nature, and offer remediating advice for short, medium and long term
fixes, where appropriate. The GSMA is then able to share details of these fixes with the
entire membership; with the intention to prevent exploitation.

The GSMA membership is also in a unique position to influence the industry standardisation
process, allowing vulnerabilities to be designed out at the earliest phase of network design.

The benefit of such a Programme for the GSMA membership is the convening of industry
experts to collectively address and prevent attacks capable of exploiting disclosed
vulnerabilities. The benefit for the security researchers’ is that they receive a constructive
and structured engagement with the industry and can contribute to enhancing the security of
mobile services.

V3.0 Page 21 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Annex B CVD Document Templates

Reporters may supply information on the vulnerability by email using the Submission
template below. GPG encryption is encouraged but not required, the public key can be found
at [4]. Both form formats can be found on www.gsma.com/cvd

B.1 Email Format

Contact Details

Name (Full or Nickname Mandatory)

Organisation
Email Address (Mandatory)
Telephone
Can we provide your details to GSMA stakeholders (Yes/No)
Do you want to be acknowledged publicly (Yes/No)

Vulnerability Details (All below are mandatory)

Title of vulnerability
Description of vulnerability
Product or service name
Date vulnerability found
Is the vulnerability still live? (Yes/No)
Do you believe the vulnerability is currently being exploited? (Yes/No)
Probability of reproduction of vulnerability (Always / Often / Rarely)
Possible threat caused by the vulnerability
Can you provide PoC Code, Screenshots or other useful information?
Do you intend to let us review the vulnerability before going public? (Yes/No)
To what other organisation(s) has the vulnerability been disclosed?

V3.0 Page 22 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

B.2 Word Template

Reporter Details
Name (either full or nickname):
(Mandatory Field)
Organisation
Email
(Mandatory Field)
Telephone
Can we provide your details to No ☐ Yes ☐
another organisation or
company if required for
coordination
Do you want to be publicly No ☐ Yes ☐
acknowledged
Vulnerability Details
(All below are mandatory fields)
Title of Vulnerability

Description of Vulnerability

Product or Service Name

Date Vulnerability Found
Is the Vulnerability still live No ☐ Yes ☐
Do you believe the vulnerability No ☐ Yes ☐
is currently being exploited
Probability of reproduction of 1 – Always ☐ 2 – Often ☐ 3 – Rarely ☐
vulnerability
Possible threat caused by the
vulnerability

Can you provide any PoC Code,

Screenshots or Http requests
etc.
Do you intend to let us review No ☐ Yes ☐
the vulnerability before going
public
To what other organisation(s)
has the vulnerability been
reported?

V3.0 Page 23 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

B.3 CVD Close Down Template

Coordinated Vulnerability Disclosure - Close Down Information

GSMA CVD Number

CVD Title

Reporter

Organisation

Has the CVD Submission been No ☐ Yes ☐

resolved?

Have the Reporters been No ☐ Yes ☐

informed of closure?
Have any concerned parties No ☐ Yes ☐
been informed?
Summary/Resolution of Vulnerability

Date Vulnerability Found

Date Vulnerability Closed
Has the vulnerability been No ☐ Yes ☐
publicly disclosed?
Has this CVD Submission No ☐ Yes ☐
been entered into Mobile
Security Research Hall of
Fame?
Has a request for Reporter No ☐ Yes ☐
feedback been issued?
Any Further Notes

V3.0 Page 24 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

B.4 Example Panel of Experts (PoE) Application Form

Applicant Details

Name:
Company:
(As listed on your
GSMA IC2 account)

Work email:
Telephone:
I am a member of the GSMA Fraud and Security Group (FASG): No ☐ Yes ☐
Geographical North America ☐
areas of company
activity: Latin/South/Central America ☐
(Tick all that Middle East & North Africa ☐
apply)
Sub-Saharan Africa ☐
Europe ☐
Russia/Central Asia ☐
Greater China ☐
India and South Asia ☐
East and South-East Asia ☐
Oceania ☐

Applicant Experience

Subject matter Real World Standards

areas: Experience* /Governance
(Please select the Transport/transmission security ☐ ☐
area/s in which
you have Radio access network security ☐ ☐
expertise.)
Signalling protocol security ☐ ☐
Core network technology security ☐ ☐
* Including design,
planning, Device security ☐ ☐
implementation,
UICC/eUICC security ☐ ☐
operation, incident
handling Cryptography ☐ ☐
Internet of Things (IoT) security ☐ ☐
Roaming and interworking security ☐ ☐
Cloud and virtualisation security ☐ ☐
Billing and financial system security ☐ ☐
Protocol analysis ☐ ☐
Other: _________________________________________

V3.0 Page 25 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Please outline any evidence of relevant experience within the areas above and with the wider
mobile industry/academia (e.g. standards, research, publications, and memberships of other
committees/industry bodies):

I have previously been a member of the GSMA CVD Panel of Experts No ☐ Yes ☐
(formerly Governance Team)?
Please provide Referee One Name:
referees who can
Email:
be contacted by
GSMA to support Referee Two Name:
the application
(optional but Email:
recommended):
Applicant Consent

I have read FS.23 and agree to be bound by the terms and conditions of No ☐ Yes ☐
the document set out therein:
I have received written approval by my employer to act as a member of No ☐ Yes ☐
the Panel of Experts:
Applicant Name:
Signed:
Date:

Upon completion, please send to the GSMA CVD Director at [email protected].

Any further information can be found at gsma.com/cvd.

V3.0 Page 26 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Annex C Individual Non-Disclosure Agreement

MUTUAL NON-DISCLOSURE AGREEMENT

This Mutual Non-Disclosure Agreement (this “Agreement”) is entered into and effective as of [INSERT DATE]
(the "Effective Date") by and between

the GSM Association with an office at 2nd Floor, The Walbrook Building, 25 Walbrook, London EC4N 8AF, England
and ____________________________________whose registered office is located at:
_________________________(the “Confidant”) (each individually a “Party” and collectively the “Parties”)

WHEREAS the Parties wish to protect the confidential nature of information disclosed under this
Agreement.

NOW THEREFORE it is hereby agreed as follows:

1. DEFINITIONS

1.1 “Affiliates” means any subsidiary or holding company of an entity, any subsidiary of any of its holding
companies and any partnership, company or undertaking (whether incorporated or unincorporated) in which
an entity has the majority of the voting rights or economic interest.

1.2 “Business Purpose” means [INSERT PURPOSE FOR WHICH THE CONFIDENTIAL INFORMATION IS BEING
EXCHANGED].

1.3 “Confidential Information” means all information of the GSMA Group, the Confidant or a third party,
including without limitation, information relating to the research, development, business plans, marketing,
operations, finances, personal data of any such entity, which is disclosed by one Party directly or indirectly to
the other Party hereunder in connection with the Business Purpose, whether in writing (physically or
electronically), visually or orally and which is designated as proprietary or confidential or which, under the
circumstances, should reasonably be considered confidential.

1.4 “Disclosing Party” a Party to this Agreement that directly or indirectly discloses or makes available its
Confidential Information to the other Party.

1.5 “GSMA Group” means the GSMA, its Affiliates and GSMA Members together with the directors,
employees and agents of each of those.

1.6 “GSMA Members” means the full, associate and other members of the GSM Association.

V3.0 Page 27 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

1.7 “Receiving Party” means a Party to this Agreement which directly or indirectly receives or obtains the
other Party’s Confidential Information.

2. OWNERSHIP OF CONFIDENTIAL INFORMATION

All Confidential Information is, and shall remain, the property of the Disclosing Party. Nothing herein
shall be construed as granting any rights by licence or otherwise in the Confidential Information except as
expressly provided herein. Other than as expressly provided herein, no licence is granted (whether implicitly, by
estoppel or otherwise) under any patents, copyrights, trademarks, database rights, semiconductor topography
rights, registered or unregistered designs, utility models or other intellectual property rights relating to the
Confidential Information.

3. OBLIGATIONS OF CONFIDENTIALITY

3.1 The Receiving Party may use the Confidential Information received hereunder solely for the Business
Purpose.

3.2 For a period of three (3) years from the receipt of Confidential Information hereunder, the Receiving
Party shall use the same degree of care and means that it uses to protect its own Confidential Information of a
similar nature, but in any event not less than reasonable care and means, to prevent the unauthorized use or
disclosure to third parties of such Confidential Information.

3.3 The Receiving Party shall disclose the Confidential Information only to its officers, employees,
consultants, Affiliates, or contractors with a “need to know” for the Business Purpose and who have entered
into confidentiality agreements sufficient to prohibit further unauthorized use or disclosure of the Confidential
Information. The Receiving Party may not alter, decompile, disassemble, reverse engineer, or otherwise modify
any Confidential Information received hereunder other than in furtherance of the Business Purpose and the
mingling of the Confidential Information with information of the Receiving Party shall not affect the confidential
nature or ownership of the same as stated hereunder.

3.4 This Agreement shall impose no obligation of confidentiality upon the Receiving Party with respect to
any portion of Confidential Information received hereunder, which: (a) is already known in the public domain
prior to this Agreement or becomes publicly known through no fault of the Receiving Party; (b) is or becomes
known to the Receiving Party from a third party source other than the Disclosing Party without duties of
confidentiality attached and without breach of any agreement between the Disclosing Party and such third
party; (c) is furnished to another by the Disclosing Party without restriction on disclosure; or (d) was
independently developed by the Receiving Party without the benefit of the Confidential Information.

3.5 Nothing in this Agreement shall prevent a Receiving Party from disclosing Confidential Information to
the extent it is legally compelled to do so by any governmental investigative or judicial agency pursuant to
proceedings over which such agency has jurisdiction; provided, however, that prior to any such disclosure, the
Receiving Party shall: (a) assert the confidential nature of the Confidential Information to the agency; (b)
immediately notify the Disclosing Party in writing of the agency’s order or request to disclose; and (c) provide all
reasonable cooperation to the Disclosing Party in protecting against any such disclosure and/or obtaining a
protective order narrowing the scope of the compelled disclosure and protecting its confidentiality.

V3.0 Page 28 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

3.6 Each Party agrees that this Agreement applies equally to all Confidential Information concerning the
Business Purpose shared by the Disclosing Party or any Affiliate of the Disclosing Party to the Receiving Party
prior to the Effective Date.

4. EXCLUSIVE ACTIVITY

Nothing in this Agreement shall prevent a Party from pursuing similar discussions with third parties
provided that there is no breach of the obligations of this Agreement. The obligations of confidentiality under
this Agreement shall not be construed to limit a Party’s right to develop independently or acquire products or
services without use of the other Party’s Confidential Information.

5. TERM AND TERMINATION

5.1 The term of this Agreement is for a period of one (1) year from the Effective Date unless otherwise
terminated.

5.2 Either Party may terminate this Agreement for any reason prior to the period stated in clause 5.1 upon
thirty (30) days’ written notice to the other Party.

5.3 Either Party may terminate this Agreement immediately upon written notice to the other in the event
of any breach by that other Party of this Agreement.

5.4 Upon the written request of either Party or upon the expiration or termination of this Agreement for
any reason the Receiving Party will promptly return all copies of the Disclosing Party’s Confidential Information
in its possession, power, custody or control, or in respect of Confidential Information held electronically
permanently erase to the extent technically feasible (without incurring excessive expense).

5.5 Notwithstanding anything else contained herein, each Party may retain a copy of the other Party’s
Confidential Information to the extent required for legal or regulatory purposes. Any Confidential Information
that is retained under this clause or which has not been returned, destroyed or permanently erased under clause
5.4 shall remain subject to the other provisions of this Agreement.

5.6 Clauses 1, 2, 3, 4, 5.4, 5.5, 6 and 7 shall survive the expiration or termination of this Agreement.

6. NO WARRANTY; DISCLAIMER

NEITHER PARTY MAKES ANY REPRESENTATION, WARRANTY OR UNDERTAKING (EXPRESS OR IMPLIED)

WITH RESPECT TO, AND DOES NOT ACCEPT ANY RESPONSIBILITY FOR, (AND HEREBY DISCLAIMS LIABILITY FOR),
THE ACCURACY OR COMPLETENESS OF ANY CONFIDENTIAL INFORMATION. NEITHER PARTY IS RESPONSIBLE
FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FINANCIAL OR OTHERWISE CASUED DIRECTLY OR INDIRECTLY
BY RELIANCE UPON THE CONFIDENTIAL INFORMATION. NEITHER PARTY IS UNDER ANY OBLIGATION TO PROVIDE
THE OTHER PARTY WITH CONFIDENTIAL INFORMATION AND MAY AT ANY TIME AND IN ITS SOLE DISCRETION
DISCONTINUE ITS DISTRIBUTION. ALL CONFIDENTIAL INFORMATION IS PROVIDED “AS IS”.

7. GENERAL

V3.0 Page 29 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

7.1 Equitable Remedies. The Parties agree that there is no adequate remedy in damages for any breach of
the obligations of confidence hereunder and upon any such breach or any threat thereof by the Receiving Party,
the Disclosing Party shall be entitled to seek appropriate equitable relief, including injunctive relief in addition
to whatever other remedies it might be entitled, including, but not limited to, damages.

7.2 Severability. If any term, provision, covenant or condition of this Agreement is held invalid or
unenforceable for any reason, the Parties agree that such invalidity shall not affect the validity of the remaining
provisions of this Agreement and further agree to substitute for such invalid or unenforceable provision a valid
and enforceable provision of similar intent and economic effect.

7.3 Publicity. Neither Party, without the other Party’s prior written approval, shall make any public
announcement or any disclosure as to the existence of or matters set forth in this Agreement.

7.4 Assignment. Neither Party may assign its rights or obligations under this Agreement.

7.5 Waiver. The failure of a Party at any time to require performance by the other Party of any provision
hereof shall not affect in any way the full right to require such performance at any time thereafter. Nor shall the
waiver by a Party of a breach of any provision hereof be taken or held to be a waiver of the provision itself.

7.6 Headings. The headings in this Agreement are provided for convenience only and do not affect its
meaning.

7.7 Relationship of the Parties. Nothing in this Agreement will be construed as creating an employer-
employee or agency relationship, a partnership or a joint venture between the Parties.

7.8 Governing Law.

[This Agreement shall be construed in accordance with, and all disputes hereunder shall be governed by, the
laws of England and shall be subject to the exclusive jurisdiction of the English courts.]

7.9 Facsimiles; Email. The Parties agree to treat documents sent via telephonic facsimile or email as original
documents, provided that either Party may require the other to provide a manually executed or authenticated
original or duplicate of any document so sent within a reasonable period of time, and if such original or duplicate
is not provided within that time, then to treat the document as not having been received initially until the
manually executed or authenticated original or duplicate is delivered.

7.10 Entire Agreement; Modification. This Agreement is the complete, final and exclusive statement of the
terms of the agreement between the Parties and supersedes any and all other prior and contemporaneous
negotiations and agreements, whether oral or written, between them relating to the subject matter hereof. This
Agreement may not be varied, modified, altered, or amended except in writing signed by the Parties.

7.11 Counterparts. This Agreement may be executed in two (2) or more counterparts, each of which shall
be deemed an original, but all of which together shall constitute one and the same instrument.

V3.0 Page 30 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

IN WITNESS WHEREOF the Parties have caused this Agreement to be executed by their duly authorized
representatives on the date(s) shown below.

GSMA NAME OF OTHER COMPANY

______________________________ ____________________________
Signature Signature

______________________________ ____________________________
Printed Printed

______________________________ ____________________________
Title Title

______________________________ ____________________________
Date Date

V3.0 Page 31 of 32
GSM Association Non-confidential
Official Document FS.23 - GSMA Coordinated Vulnerability Disclosure Program

Annex D Document Management

D.1 Document History

Version Date Brief Description of Change Approval Editor /
Authority Company
Ethan Duffell,
1.0 13/3/2017 First published version PSMC
GSMA
Addition of closedown template
and changes to governance Samantha Kight,
2.0 29/5/2019 TG
team structure. Minor editorial GSMA
changes.
Formalising GSMA CVD policy,
member application process,
roles and responsibilities, James Skuse,
3.0 15/7/2020 FASG
unifying document language, GSMA
remove GSMA own assets (e.g.
website) from scope.

D.2 Other Information

Type Description
Document Owner GSMA Fraud and Security Architecture Group (FSAG)
Editor / Company James Skuse, GSMA

It is our intention to provide a quality product for your use. If you find any errors or omissions,
please contact us with your comments. You may notify us at [email protected]

Your comments or suggestions & questions are always welcome.

V3.0 Page 32 of 32

Hourglass Workout Program by Luisagiuliet 2
76% (21)
Hourglass Workout Program by Luisagiuliet 2
51 pages
12 Week Program: Summer Body Starts Now
87% (46)
12 Week Program: Summer Body Starts Now
70 pages
The Hold Me Tight Workbook - Dr. Sue Johnson
100% (16)
The Hold Me Tight Workbook - Dr. Sue Johnson
187 pages
Livingood, Blake - Livingood Daily Your 21-Day Guide To Experience Real Health
77% (13)
Livingood, Blake - Livingood Daily Your 21-Day Guide To Experience Real Health
260 pages
Cheat Code To The Universe
94% (79)
Cheat Code To The Universe
34 pages
Facial Gains Guide (001 081)
91% (45)
Facial Gains Guide (001 081)
81 pages
Curse of Strahd
95% (467)
Curse of Strahd
258 pages
The Psychiatric Interview - Daniel Carlat
91% (34)
The Psychiatric Interview - Daniel Carlat
473 pages
The Borax Conspiracy
91% (57)
The Borax Conspiracy
14 pages
Shortcut To Shred Ebook Revised 9-9-2015 PDF
88% (8)
Shortcut To Shred Ebook Revised 9-9-2015 PDF
15 pages
Trauma-Focused ACT - Russ Harris
95% (39)
Trauma-Focused ACT - Russ Harris
568 pages
I Hate You - Don't Leave Me
80% (54)
I Hate You - Don't Leave Me
6 pages
The Secret Language of Attraction
86% (107)
The Secret Language of Attraction
278 pages
How To Develop and Write A Grant Proposal
83% (542)
How To Develop and Write A Grant Proposal
17 pages
Workbook For The Body Keeps The Score
89% (53)
Workbook For The Body Keeps The Score
111 pages
KamaSutra Positions
78% (69)
KamaSutra Positions
55 pages
7 Hermetic Principles
93% (30)
7 Hermetic Principles
3 pages
27 Feedback Mechanisms Pogil Key
77% (13)
27 Feedback Mechanisms Pogil Key
6 pages
Frank Hammond - List of Demons
92% (92)
Frank Hammond - List of Demons
3 pages
36 Questions That Lead To Love
91% (35)
36 Questions That Lead To Love
3 pages
2025 MandateForLeadership FULL
70% (10)
2025 MandateForLeadership FULL
920 pages
100 Questions To Ask Your Partner
80% (35)
100 Questions To Ask Your Partner
2 pages
The 36 Questions That Lead To Love - The New York Times
94% (34)
The 36 Questions That Lead To Love - The New York Times
3 pages
The 36 Questions That Lead To Love - The New York Times
95% (21)
The 36 Questions That Lead To Love - The New York Times
3 pages
Jeffrey Epstein39s Little Black Book Unredacted PDF
75% (12)
Jeffrey Epstein39s Little Black Book Unredacted PDF
95 pages
14 Easiest & Hardest Muscles To Build (Ranked With Solutions)
100% (8)
14 Easiest & Hardest Muscles To Build (Ranked With Solutions)
27 pages
Starbucks Underfilled Latte Lawsuit
68% (76)
Starbucks Underfilled Latte Lawsuit
24 pages
1001 Songs
69% (72)
1001 Songs
1,798 pages
The 4 Hour Workweek, Expanded and Updated by Timothy Ferriss - Excerpt
23% (954)
The 4 Hour Workweek, Expanded and Updated by Timothy Ferriss - Excerpt
38 pages
Zodiac Sign & Their Most Common Addictions
63% (30)
Zodiac Sign & Their Most Common Addictions
9 pages
Gsma PRD FF.09
No ratings yet
Gsma PRD FF.09
35 pages
KimEng - Annual Report 2010
No ratings yet
KimEng - Annual Report 2010
106 pages
Leadership Development Overview Brochure
100% (1)
Leadership Development Overview Brochure
9 pages
EPG
No ratings yet
EPG
80 pages
FS.37_20v2.0.pdf
No ratings yet
FS.37_20v2.0.pdf
25 pages
SM Mar2022
No ratings yet
SM Mar2022
60 pages
ABI Research
No ratings yet
ABI Research
14 pages
ENISA - 5G Standards
No ratings yet
ENISA - 5G Standards
82 pages
Mounted Family of Computer Systems (Mfocs) Ii
No ratings yet
Mounted Family of Computer Systems (Mfocs) Ii
5 pages
GSMA TS.22-v2.0
No ratings yet
GSMA TS.22-v2.0
46 pages
SCP80 OTA - SGP - 05 - v1 - 1
No ratings yet
SCP80 OTA - SGP - 05 - v1 - 1
127 pages
What Can We Do For Your Network?: Secure
No ratings yet
What Can We Do For Your Network?: Secure
6 pages
Centralized Data Management 62
No ratings yet
Centralized Data Management 62
196 pages
Sure Signal Premium - UK High Level Design v3.0
No ratings yet
Sure Signal Premium - UK High Level Design v3.0
80 pages
Analysys Mason LTEA Carrier Aggregation Feb2015 Samples RDTN0
No ratings yet
Analysys Mason LTEA Carrier Aggregation Feb2015 Samples RDTN0
13 pages
Network Equipment Security Assurance Scheme - 05 February 2021
No ratings yet
Network Equipment Security Assurance Scheme - 05 February 2021
28 pages
Emergency Rules For School Bathroom Bill On Page 3
No ratings yet
Emergency Rules For School Bathroom Bill On Page 3
4 pages
Nozomi Networks WP Industroyer2 A4
No ratings yet
Nozomi Networks WP Industroyer2 A4
20 pages
PLTE Mission Critical Communications Mar19
No ratings yet
PLTE Mission Critical Communications Mar19
9 pages
IR 25 v4.0 PDF
No ratings yet
IR 25 v4.0 PDF
21 pages
8164 Berec Report On Infrastructure Sharing 0
No ratings yet
8164 Berec Report On Infrastructure Sharing 0
34 pages
Samsung SF1 Series Installation Manual - v6.0
No ratings yet
Samsung SF1 Series Installation Manual - v6.0
133 pages
Multicast Video App
No ratings yet
Multicast Video App
39 pages
Huawei Presentation.: Commonwealth Telecommunications Organisation. Maputo, Mozambique.
No ratings yet
Huawei Presentation.: Commonwealth Telecommunications Organisation. Maputo, Mozambique.
11 pages
Keysight Network Packet Broker v5.3.0 CC Guide 1.0
No ratings yet
Keysight Network Packet Broker v5.3.0 CC Guide 1.0
20 pages
BRKSPG 2402
No ratings yet
BRKSPG 2402
84 pages
Cloud RAN Basics
No ratings yet
Cloud RAN Basics
8 pages
Ecall Vs NG Ecall
No ratings yet
Ecall Vs NG Ecall
6 pages
IPLOOK HSS Web Operation Manual-20200408-V1.4
No ratings yet
IPLOOK HSS Web Operation Manual-20200408-V1.4
47 pages
Network Visibility: Network Packet Broker Comparison Table
No ratings yet
Network Visibility: Network Packet Broker Comparison Table
9 pages
Automated 4G/5G Core Networks: Heavy Reading's View
No ratings yet
Automated 4G/5G Core Networks: Heavy Reading's View
27 pages
2 ISO 27002-2013 - Control Cross Check (EN)
No ratings yet
2 ISO 27002-2013 - Control Cross Check (EN)
2 pages
GSMA PRD IR.92 - "IMS Profile For Voice and SMS" 1.0 18 March 2010
No ratings yet
GSMA PRD IR.92 - "IMS Profile For Voice and SMS" 1.0 18 March 2010
27 pages
GTI 5G Device Function and Performance Test Specification-V3.0
No ratings yet
GTI 5G Device Function and Performance Test Specification-V3.0
377 pages
Analyse This, P Analyse This, Predict That - Final Report - Singles LR - Redict That - Final Report - Singles LR
No ratings yet
Analyse This, P Analyse This, Predict That - Final Report - Singles LR - Redict That - Final Report - Singles LR
60 pages
Data Management Module
No ratings yet
Data Management Module
118 pages
Advoss Aaa Product Datasheet
No ratings yet
Advoss Aaa Product Datasheet
26 pages
TACACS Advantages
No ratings yet
TACACS Advantages
6 pages
2020 BRKSPG-2724 Network Function Virtualization (NFV) Using IOS-XR
No ratings yet
2020 BRKSPG-2724 Network Function Virtualization (NFV) Using IOS-XR
95 pages
03.1 VRRP Principle
No ratings yet
03.1 VRRP Principle
34 pages
Huawei Cloud Pangu Models Overview Presentation v3.0
No ratings yet
Huawei Cloud Pangu Models Overview Presentation v3.0
42 pages
NFM-T REST API Documentation R20.11 Issue 1 (HTML Format Recommended)
No ratings yet
NFM-T REST API Documentation R20.11 Issue 1 (HTML Format Recommended)
5,416 pages
01 Cloud Basics
No ratings yet
01 Cloud Basics
59 pages
Analysys Mason Report
No ratings yet
Analysys Mason Report
216 pages
GDPR For Dummies - Guide
No ratings yet
GDPR For Dummies - Guide
245 pages
Considerations, Best Practices and Requirements For A Virtualised Mobile Network
No ratings yet
Considerations, Best Practices and Requirements For A Virtualised Mobile Network
25 pages
Network Visibility Products Catalog
No ratings yet
Network Visibility Products Catalog
24 pages
M2M Huawei
No ratings yet
M2M Huawei
34 pages
Gsma 5G
No ratings yet
Gsma 5G
26 pages
NGMN 6G Drivers and Vision V1.0 - Final
No ratings yet
NGMN 6G Drivers and Vision V1.0 - Final
13 pages
White Paper Diameter Security 3 June 2015
No ratings yet
White Paper Diameter Security 3 June 2015
8 pages
Top Ten Voip Security Issue
No ratings yet
Top Ten Voip Security Issue
8 pages
v16 5g-Ausf
No ratings yet
v16 5g-Ausf
50 pages
5GIB2
No ratings yet
5GIB2
22 pages
MiddleEast Support Systems For Lawful Interception, Criminal Investigations and Intelligence Gathering (2013)
No ratings yet
MiddleEast Support Systems For Lawful Interception, Criminal Investigations and Intelligence Gathering (2013)
7 pages
Voice Over IP Security (PDFDrive)
100% (1)
Voice Over IP Security (PDFDrive)
383 pages
Evolution Firewall - 1
100% (1)
Evolution Firewall - 1
31 pages
IMS Service Centralization and Continuity Guidelines 15 September 2015
No ratings yet
IMS Service Centralization and Continuity Guidelines 15 September 2015
23 pages
IMS Service Centralization and Continuity Guidelines 08 December 2016
No ratings yet
IMS Service Centralization and Continuity Guidelines 08 December 2016
24 pages
ESIA English
No ratings yet
ESIA English
317 pages
FS.21_v2.0.pdf
No ratings yet
FS.21_v2.0.pdf
29 pages
04 18 18CCAgendaPacket
No ratings yet
04 18 18CCAgendaPacket
184 pages
Yaakov (J) Stein
No ratings yet
Yaakov (J) Stein
41 pages
GPRS Billing:: Briefing Paper
No ratings yet
GPRS Billing:: Briefing Paper
32 pages
LTE Security Disabled-Misconfiguration in Commercial Networks
No ratings yet
LTE Security Disabled-Misconfiguration in Commercial Networks
6 pages
Air Interface: 5G Yjs
No ratings yet
Air Interface: 5G Yjs
38 pages
Executive Summary: ONF's Software-Defined RAN Platform Consistent With The O-RAN Architecture
No ratings yet
Executive Summary: ONF's Software-Defined RAN Platform Consistent With The O-RAN Architecture
14 pages
Optical Fibers: Wave Equations in Cylindrical Coordinates R R 0 + R R
No ratings yet
Optical Fibers: Wave Equations in Cylindrical Coordinates R R 0 + R R
14 pages
Binomial Poisson
No ratings yet
Binomial Poisson
19 pages
Mpls A Mini-Course: July 2018
No ratings yet
Mpls A Mini-Course: July 2018
197 pages
LX2160A I NXP' B M: S S Iggest Ulticore
No ratings yet
LX2160A I NXP' B M: S S Iggest Ulticore
5 pages
802.3-2008 Section5
No ratings yet
802.3-2008 Section5
615 pages
Progressive Simplicial Complexes: Jovan Popovic Hugues Hoppe
No ratings yet
Progressive Simplicial Complexes: Jovan Popovic Hugues Hoppe
50 pages
Precise Estimates For The Ruin Probability in Finite Horizon in A Discrete-Time Model With Heavy-Tailed Insurance and Financial Risks
No ratings yet
Precise Estimates For The Ruin Probability in Finite Horizon in A Discrete-Time Model With Heavy-Tailed Insurance and Financial Risks
30 pages
Rod Serling Article
100% (1)
Rod Serling Article
2 pages
Teamwork Makes The Dream Work
No ratings yet
Teamwork Makes The Dream Work
12 pages
Polity RTFQ Day 4
No ratings yet
Polity RTFQ Day 4
25 pages
Essay On All The Light We Cannot See
No ratings yet
Essay On All The Light We Cannot See
2 pages
AU T2 E 191 Fantastic MR Fox Guided Reading Questions Chapters 1 and 2
No ratings yet
AU T2 E 191 Fantastic MR Fox Guided Reading Questions Chapters 1 and 2
6 pages
MIAA V Pasay Digest
No ratings yet
MIAA V Pasay Digest
2 pages
Rules and Regulations To Carry Out The Provisions of Section 6 of Presidential Decree No. 1612, Known As The Anti-Fencing Law
No ratings yet
Rules and Regulations To Carry Out The Provisions of Section 6 of Presidential Decree No. 1612, Known As The Anti-Fencing Law
4 pages
Roles Responsibilities Matrix
No ratings yet
Roles Responsibilities Matrix
18 pages
D) Skinny, Who Was Engaged in A Work That Is Not Child Labor, Is A Working Child
No ratings yet
D) Skinny, Who Was Engaged in A Work That Is Not Child Labor, Is A Working Child
1 page
Omnibos Sworn Statement
No ratings yet
Omnibos Sworn Statement
2 pages
Bài Tập Luyện Viết Ôn Thi 10
No ratings yet
Bài Tập Luyện Viết Ôn Thi 10
14 pages
DLL He
0% (1)
DLL He
7 pages
Login For Nivas Login: Social Welfare
No ratings yet
Login For Nivas Login: Social Welfare
4 pages
The Lazy Trader Guide
75% (4)
The Lazy Trader Guide
15 pages
William Finnemann
No ratings yet
William Finnemann
3 pages
11.TCOA SharvariD
No ratings yet
11.TCOA SharvariD
13 pages