Responsible Disclosure

05/15/2018 - 03:45 PM

  • Responsible Disclosure
- + Text size
Print
PARTNERSHIP-300x140

To send a detected vulnerability write to
responsible-disclosure@telecomitalia.it

Below you will find the rules to follow.

Responsible Disclosure is a method to report system vulnerabilities which allows the recipient sufficient time to identify and apply the necessary countermeasures before making the information public.

By following this controlled and ethically correct model of reporting, the sender helps companies to identify and resolve system flaws, thus providing a valuable and efficient contribution to increase the security of ICT services and avoiding damage or disruption to the systems involved.

Whenever a customer, researcher or expert should identify one or more vulnerabilities in the following environments:

  • TIM portals (i.e. www.tim.it, telecomitalia.com, etc.)
  • Mobile applications bearing the TIM logo and published on official stores (i.e. TIM Music, My TIM Fisso, TIM Telefono)
  • Devices bearing the TIM logo (i.e. TIM Vision decoderADSL modem-router, etc. with the exception of cellular phones)
  • Equipment pertaining to TIM’s fixed-line or mobile network (i.e. routers, load balancers, etc.)

he or she can send the information to TIM following the procedure laid out below.

Using the following procedure, whoever informs TIM of a system vulnerability is required to make a responsible disclosure so as not to expose other clients to unnecessary security risks.

The reporting person must avoid performing any activity that can either disrupt the impacted system or service or cause any data leakage/loss.

Responsible disclosure implies that the reporting person has not spied out and disclosed any third-party data

Specifically, whoever activates the procedure must:

  1. Send the information via email to responsible-disclosure@telecomitalia.it with the following details:
    • Personal data (name, surname and, if applicable, organization for which the person works)
    • The type of vulnerability identified
    • The service/device/application impacted by the flaw
    • A detailed description of the problem encountered
    • Date in which the vulnerability was first discovered
    • A compressed archive (zip) with all the files which can help in reproducing the flaw (i.e. images, screenshots, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, …). The maximum dimension of the archive cannot exceed 10MB. If the archive is password protected please specify the password in the body of the mail.
    • The consensus or not to sending your personal data to the producer, if available, of the technology involved for a possible direct contact between the parties.
    • The consensus or not to being listed in the Hall of Fame section, together with an optional personal contact, if you want it to be mentioned alongside your Name and Surname.
    • In activating the Responsible Disclosure procedure you may encrypt your mail using the following public key:
      PGP key: 0x68DEAD71
      Fingerprint: 0184D9E3E0CACB6F6E9A813BDE90CF9768DEAD71
  2. Observe strict secrecy on all information pertaining to the vulnerabilities discovered, and therefore commit not to reveal any of these, entirely or partially, or in any form make them available to third parties for a period of not less than 90 days, allowing TIM the required time to identify and apply the necessary countermeasures. In especially complex cases, TIM reserves the right to extend this period, giving sufficient notice to whoever sent the information.
  3. In the cases where the information regarding the vulnerabilities comes from a legal entity (public or private), corporation, consortium or other associative body, the sender must take the necessary steps to limit access to said information to those employees who require the use of the affected system for their work activities, enacting all suitable and appropriate measures to maintain confidentiality and abovementioned limits while accessing and using the information.

Once a notice has been received, TIM is committed to following up as follows:

  1. Send an email to the reporting person/entity to acknowledge reception of the mail with the information outlined above. Within 10 days from this confirmation TIM will send a second email with an evaluation of the relevance of the vulnerability and the results of an initial analysis.
  2. Adequately manage the vulnerability report so as to respect the timeline indicated previously and, in case of an eligible report on a vulnerability which is not already being handled, publicly thank the sender in the Hall of Fame section, if the necessary authorization accompanied the original mail.

TIM reserves the right not to manage reports which do not respect the criteria indicated in this procedure.

TIM stresses the importance of assuming responsible behavior even after the release of any patch as the rollout process can be long and complicated. Therefore we ask a careful evaluation of information released in this regards, with the objective of safeguarding user security.

Below you will find some examples of vulnerability categories which are considered eligible for publication in the Hall of Fame:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Injection (i.e. SQL injection, user input)
  • Broken Authentication and Session Management
  • Broken Access Control
  • Security Misconfiguration
  • Redirect / Man in the Middle attacks
  • Remote code execution
  • Underprotected API
  • Privilege Escalation

On the other hand, the following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:

  • Situations which are not inherent to security aspects (i.e. unavailability of a service, bugs in a GUI, etc.) and therefore managed through traditional channels of customer care.
  • Problems regarding phishing or spam and vulnerabilities inherent to social engineering techniques; these must be signaled either via email to abuse@telecomitalia.it or through the form available on http://www.telecomitalia.com/tit/en/sustainability/form-abuse.html
  • Results of automatic tools for vulnerability assessment/penetration testing (i.e. Nessus, nmap, …).

TIM reserves the right to update this Responsible Disclosure procedure at any time.

We would like to thank all persons who make a responsible disclosure to us and recognize their valuable contribution in increasing the security of our products and services.

2018

  • Luigi Gubello, www.gubello.me | Multiple XSS vulnerabilities
  • Emanuele Gentili, twitter.com/emgent | HTML Code injections, XSS vulnerability, Redirect, Security Misconfiguration
  • Davide Del Vecchio, www.davidedelvecchio.com | XSS vulnerability, Security Misconfiguration
  • Carlo Pelliccioni, twitter.com/cpelliccioni | Multiple XSS vulnerabilities, Redirect
  • Raffaele Forte, backbox.org | Remote Code Execution
  • Federico Valentini, twitter.com/f3d_0x0 | SQL injection
  • Frank Vickers, www.linkedin.com/in/frank-vickers-199109a | Multiple Security Misconfigurations
  • Andrei Manole, www.linkedin.com/in/andrei-manole-81626090 | XSS vulnerability
  • Alessandro Moccia, www.linkedin.com/in/mocciaalessandro | XSS vulnerability
  • Shubham Pathak, twitter.com/ShubhamPthk | Multiple Security Misconfiguration
  • Paolo Montesel, twitter.com/pmontesel | Underprotected API
  • Simone Cardona, www.linkedin.com/in/simone-cardona | Multiple XSS vulnerability, Redirect
  • Vishal Jain, linkedin.com/in/vishaljain113 | Security Misconfiguration
  • Michele Toccagni, hacktips.it | SQL injection
  • Alfie Njeru, twitter.com/emenalf  | Multiple Security Misconfigurations
  • Federico Zambito, www.linkedin.com/in/federico-zambito-2b967571 | Redirect
  • Mohamed Ouad, www.linkedin.com/in/ouadmoha | Broken Authentication and Session Management
  • Ezio Paglia, www.linkedin.com/in/ezio-paglia-3704196  | Security Misconfiguration
  • Akash Labade, www.linkedin.com/in/m0ns7er | CSRF, XSS vulnerability
  • Domenico Curigliano, www.linkedin.com/in/domenico-matis-curigliano | Remote code execution
  • Jose Carlos Exposito | XSS vulnerability