Coordinated Vulnerability Disclosure (CVD)
ETSI has provided a place for individuals or organizations to responsibly disclose a vulnerability that they have found in ETSI standards. The full ETSI CVD Process is described transparently on this page, from the moment of reporting to the resolution of the vulnerability, where ETSI works with its members, spanning over 60 countries and five continents, to develop fixes.
Please find information in the following sections, including how to report a vulnerability.
- CVD Process
- Legal Notice
- Report a Vulnerability
As a world-leading standards organization, ETSI recognizes the value of a Coordinated Vulnerability Disclosure process in improving the security of its standards. Importantly, ETSI aims to resolve all valid vulnerabilities within 90 days of reporting.
Note: Disclosures to ETSI's CVD Process must focus on ETSI standards.
Definitions
ETSI CVD Steering Committee: committee which, for each vulnerability report, triages the vulnerability, interacts with the Chair and the ETSI Technical Officer for the relevant TB/ISG and the rapporteur(s) of the impacted standard(s) to resolve the vulnerability, and communicates on the progress of the handling of the vulnerability report with the Finder.
Finder: individual or organization who has found a potential vulnerability
Vulnerability: security weakness that can be abused to cause unintended behaviour
CVD process
This section describes the CVD process, from submission of the vulnerability report to its resolution.
- Once a vulnerability report is submitted by a Finder, it is shared with the ETSI CVD Steering Committee. They triage the vulnerability and share the report with the Chair and the ETSI Technical Officer for the relevant TB/ISG and the rapporteur(s) of the impacted standard(s). The Finder will receive an email from the ETSI CVD Steering Committee that the report has progressed to the impacted TB/ISG.
- Next, the impacted TB/ISG assesses the vulnerability report at a committee-wide meeting. The vulnerability is assessed, and either accepted or rejected as to its validity. In either case, the Finder is notified.
- If the vulnerability report is assessed as valid, the impacted TB/ISG works to create a resolution. The resolution is prepared and adopted using the ETSI decision-making procedures by the impacted TB/ISG, and the Finder is informed by email of what the resolution is and that it has been made.
- ETSI aims to resolve all valid vulnerabilities within 90 days of reporting though it may take longer for complicated fixes.
CVD Legal Notice
As the ETSI Coordinated Vulnerability Disclosure (CVD) Process is designed to benefit the security of ETSI standards, the ETSI CVD Steering Committee, ETSI, its staff and members do not warrant or assume any liability for the responsibilities of this process, or "Vulnerability Resolution" outcomes, and any other activities or milestones set forth by ETSI. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.
The vulnerability will be handled in accordance with the ETSI CVD Process. Disclosures to ETSI's CVD Process must focus on ETSI standards. Disclosures outside of this scope will not be addressed by ETSI.
Taking into consideration that ETSI is a not-for-profit association, disclosures to the ETSI CVD Process will not generate any financial compensation for the Finder.
Finder Responsibilities
When submitting a vulnerability report, the Finder (individual or organization who has found a potential vulnerability) commits to:
- Only share findings with ETSI using the vulnerability report form
- Provide a Proof-of-Concept and/or sufficient information to enable reproduction of the vulnerability. This allows the vulnerability report to be verified and allows possible fixes to be proposed.
- Submit vulnerabilities pertaining only to ETSI standards
ETSI also requests that the Finder undertakes not to disclose the vulnerability with other people until it has been resolved by ETSI, not to use the vulnerability for exploitation beyond the minimum necessary to demonstrate the vulnerability, and not to leverage the vulnerability for financial gain. As far as possible, these resolutions will happen within 90 days, when the vulnerability has been assessed as valid, in accordance with ETSI's CVD process timeframes.
ETSI Responsibilities
ETSI will:
- Treat submitted reports confidentially. ETSI will not share the Finder's details with third parties without the Finder’s authorization, unless legally required to do so.
- Accept reports from anonymous Finders. However, Finders engaging anonymously accept that ETSI may be unable to contact them on topics concerning but not limited to: the vulnerability, progress towards resolution of the vulnerability, publication of the vulnerability.
- Acknowledge the vulnerability report submitted by the Finder within 7 days of its submission, if the Finder is not anonymous.
- Keep the Finder updated of progress throughout the process, except when this is not possible due to the Finder engaging anonymously.
- Aim to resolve valid vulnerabilities within 90 days. However, there may be times where fast resolution or any resolution is not a possible option, for a variety of reasons.
Report a Vulnerability
To report a vulnerability on 3GPP specifications, please use the 3GP CVD Process.