The 5G Standard

Coordinated Vulnerability Disclosure (CVD)


In conjunction with other Standards Development Organizations and related bodies, 3GPP has put in place a mechanism by which individuals or organizations can notify us of suspected or proven vulnerability caused by errors, omissions or ambiguities in our Technical Specifications, particularly those which could give rise to security breaches or loopholes which could compromize components of 3GPP networks, terminal equipment connected to those networks, or to other interworking networks or equipment. 

We take such threats seriously and will do our utmost to resolve any vulnerabilities notified to us so that users of our Technical Specifications can do so with confidence that they do not present opportunities for malicious third parties to discover and exploit any shortcomings in our Specs.

We encourage you, whether as an individual or as a representative of an organization with an interest in the security of telecommunications systems based on 3GPP Specificaitons, to provide as much information on detected vulnerabilities as possible using the on-line form. We will acknowledge all such declarations, and we guarantee that we will send the information to the appropriate 3GPP Group so that the problem can be analysed and resolved in as short a time as feasible. We will notify you when the vulnerability has been eliminated.

You may provide us with your name (real or an alias) and your email address so that we can get back to you with the final answer. We also ask that you give us permission to pass your name and email to the Group or Groups which we identify as that or those most suitable for resolving the vulnerability. Alternatively, you may provide information anonymously, in which case we guarantee not to try to identify you, for example by your IP address.

Unless you make your declaration anonymously, we also ask whether you wish to be publicly identified as the author of the vulnerability report and listed in our hall of fame.

3GPP, and its member organizations, are responsible for the writing and issuing of Technical Specifications, but we are not responsible for proprietary equipment designed, build and tested to those Specifications. Nevertheless, if you declare a vulnerability which is, you believe, the result of a misinterpretation or misimplementation of the provisions of a 3GPP Technical Specification, we would still encourage you to report it. We will notify the manufacturer or network operator and work with them to fix the problem, as well as correcting or clarifying the Specification if need be. We will also cooperate with other standards bodies (IETF, ISO, the 3GPP Organizational Partners, etc), and with related bodies such as - but not limited to - our Market Representation Partners.  Our aim will be to resolve the issue as effectively as possible.

We ask you not to share knowledge of the vulnerability with third parties until 3GPP has resolved it, and of course we ask you not to exploit that vulnerability except inasmuch as this might be necessary to gather sufficient data necessary to report it to us. 

This field is mandatory, but you can use an alias if you wish to remain anonymous.
e.g. employer
Need not be a corporate address, you can use, for example, gmail. You can supply a dummy email address, but in that case we will not be able to contact you concerning your submission.
The investigating Group may wish to contact you for clarification or supplementary information, so it is highly recommended that you allow them to do so.
If you wish to be acknowledged, make sure you have supplied a valid email address above.
Brief but meaningful
Give as full a description as possible.
List here any Specifications which might need to be updated to correct the vulnerability, if you can identify them.
Is the vulnerability easy to reproduce?
Be as explicit as possible
Drag and drop files here or Browse
You may upload a file containing supporting material (diagrams, timings, supplementary text, ...). Acceptable file types are: .txt, .doc, .docx, .jpg, .pdf .
We really hope you will say "no" !

Note: ETSI has a separate process for their specifications - Click to see the ETSI CVD Process