Responsible Disclosure

06/06/2019 - 03:15 PM

  • Responsible Disclosure
- + Text size
Print
PARTNERSHIP-300x140

To send a detected vulnerability write to
responsible-disclosure@telecomitalia.it

Below you will find the rules to follow.

Responsible Disclosure is a method to report system vulnerabilities which allows the recipient sufficient time to identify and apply the necessary countermeasures before making the information public.

By following this controlled and ethically correct model of reporting, the sender helps companies to identify and resolve system flaws, thus providing a valuable and efficient contribution to increase the security of ICT services and avoiding damage or disruption to the systems involved.

Whenever a customer, researcher or expert should identify one or more vulnerabilities in the following environments:

  • TIM portals (i.e. www.tim.it, telecomitalia.com, etc.)
  • Mobile applications bearing the TIM logo and published on official stores (i.e. TIM Music, My TIM Fisso, TIM Telefono)
  • Devices bearing the TIM logo (i.e. TIM Vision decoderADSL modem-router, etc. with the exception of cellular phones)
  • Equipment pertaining to TIM’s fixed-line or mobile network (i.e. routers, load balancers, etc.)

he or she can send the information to TIM following the procedure laid out below.

Using the following procedure, whoever informs TIM of a system vulnerability is required to make a responsible disclosure so as not to expose other clients to unnecessary security risks.

The reporting person must avoid performing any activity that can either disrupt the impacted system or service or cause any data leakage/loss.

Responsible disclosure implies that the reporting person has not spied out and disclosed any third-party data without their consent.

Specifically, whoever activates the procedure must:

  1. Send the information via email to responsible-disclosure@telecomitalia.it with the following details:
    • Personal data (name, surname and, if applicable, organization for which the person works)
    • The type of vulnerability identified
    • The service/device/application impacted by the flaw
    • A detailed description of the problem encountered
    • IP address from which the vulnerability was identified, together with the date and time of discovery
    • A compressed archive (zip) with all the files which can help in reproducing the flaw (i.e. images, screenshots, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, …). The maximum dimension of the archive cannot exceed 10MB. If the archive is password protected please specify the password in the body of the mail.
    • The consensus or not to sending your personal data to the producer, if available, of the technology involved for a possible direct contact between the parties.
    • The consensus or not to being listed in the Hall of Fame section, together with an optional personal contact, if you want it to be mentioned alongside your Name and Surname.
    • In activating the Responsible Disclosure procedure you may encrypt your mail using the following public key:
      PGP key: 0x68DEAD71
      Fingerprint: 0184D9E3E0CACB6F6E9A813BDE90CF9768DEAD71
  2. Observe strict secrecy on all information pertaining to the vulnerabilities discovered, and therefore commit not to reveal any of these, entirely or partially, or in any form make them available to third parties for a period of not less than 90 days, allowing TIM the required time to identify and apply the necessary countermeasures. In especially complex cases, TIM reserves the right to extend this period, giving sufficient notice to whoever sent the information.
  3. In the cases where the information regarding the vulnerabilities comes from a legal entity (public or private), corporation, consortium or other associative body, the sender must take the necessary steps to limit access to said information to those employees who require the use of the affected system for their work activities, enacting all suitable and appropriate measures to maintain confidentiality and abovementioned limits while accessing and using the information.

Once a notice has been received, TIM is committed to following up as follows:

  1. Send an email to the reporting person/entity to acknowledge reception of the mail with the information outlined above. Within 10 days from this confirmation TIM will send a second email with an evaluation of the relevance of the vulnerability and the results of an initial analysis.
  2. Adequately manage the vulnerability report so as to respect the timeline indicated previously and, in case of an eligible report on a vulnerability which is not already being handled, publicly thank the sender in the Hall of Fame section, if the necessary authorization accompanied the original mail.

TIM reserves the right not to manage reports which do not respect the criteria indicated in this procedure.

TIM stresses the importance of assuming responsible behavior even after the release of any patch as the rollout process can be long and complicated. Therefore we ask a careful evaluation of information released in this regards, with the objective of safeguarding user security.

Below you will find some examples of vulnerability categories which are considered eligible for publication in the Hall of Fame:

  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Injection (i.e. SQL injection, user input)
  • Broken Authentication and Session Management
  • Broken Access Control
  • Security Misconfiguration
  • Redirect / Man in the Middle attacks
  • Remote code execution
  • Underprotected API
  • Privilege Escalation

On the other hand, the following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:

  • Situations which are not inherent to security aspects (i.e. unavailability of a service, bugs in a GUI, etc.) and therefore managed through traditional channels of customer care.
  • Problems regarding phishing or spam and vulnerabilities inherent to social engineering techniques; these must be signaled either via email to abuse@telecomitalia.it or through the form available on https://www.telecomitalia.com/tit/en/sustainability/form-abuse.html
  • Results of automatic tools for vulnerability assessment/penetration testing (i.e. Nessus, nmap, …).

TIM reserves the right to update this Responsible Disclosure procedure at any time.

We would like to thank all persons who make a responsible disclosure to us and recognize their valuable contribution in increasing the security of our products and services.

2019

  • Andrea Guglielmini, www.linkedin.com/in/andrea-g-563626112 | XSS vulnerability
  • Andrei Conache, http://linkedin.com/in/andrei-conache | Multiple XSS vulnerabilities
  • Andrei Manole, www.linkedin.com/in/andrei-manole-81626090 | SQL injection
  • Antonio Arlia Ciombo, www.linkedin.com/in/antonio-arlia-ciombo-122191121| XSS vulnerability
  • Flavio Baldassi, www.linkedin.com/in/flavio-baldassi | Multiple Security Misconfigurations
  • Francesco Lacerenza, linkedin.com/in/francesco-lacerenza | Security Misconfiguration
  • Mario Alviano, alviano.com | Broken Authentication and Session Management, Underprotected API
  • Simone Quatrini | Multiple Security Misconfigurations

 

2018

  • Abdel Adim Oisfi, twitter.com/smaury92 | XSS vulnerability
  • Akash Labade, www.linkedin.com/in/m0ns7er | CSRF, XSS vulnerability
  • Akash Upadhyay, www.linkedin.com/in/akash-upadhayay | Multiple Redirects
  • Alessandro Groppo, it.linkedin.com/in/alessandro-groppo-1a0429146 | Security Misconfiguration
  • Alessandro Moccia, www.linkedin.com/in/mocciaalessandro | XSS vulnerability
  • Alessio Santoru, www.linkedin.com/in/alessiosantoru | XSS vulnerability
  • Alfie Njeru, twitter.com/emenalf | Multiple Security Misconfigurations
  • Andrea Bocchetti, www.linkedin.com/in/andreabocchetti | Multiple XSS vulnerabilities, Redirect
  • Andrea Draghetti, www.andreadraghetti.it | Security Misconfiguration
  • Andrea Guglielmini, www.linkedin.com/in/andrea-g-563626112 | Underprotected API
  • Andrei Conache, twitter.com/andrei_conache | Multiple XSS vulnerabilities
  • Andrei Manole, www.linkedin.com/in/andrei-manole-81626090 | XSS vulnerability
  • Angelo Anatrella, angelo.anatrella@gmail.com | XSS vulnerability
  • Antonio Cannito, m.facebook.com/antonio.cannito.banzi | Multiple Security Misconfigurations, CSRF, Multiple XSS vulnerabilities, Broken Authentication and Session Management, SQL injection
  • Bill Ben Haim, www.linkedin.com/in/vill-ben-haim-b6775a48 | XSS vulnerability
  • Carlo Pelliccioni, twitter.com/cpelliccioni | Multiple XSS vulnerabilities, Redirect
  • Cristiano Maruti, www.linkedin.com/in/cmaruti | Broken Access Control, XSS vulnerability
  • Davide Del Vecchio, www.davidedelvecchio.com | XSS vulnerability, Security Misconfiguration
  • Domenico Curigliano, www.linkedin.com/in/domenico-matis-curigliano | Multiple Remote code executions, Multiple XSS vulnerabilities, Redirect 
  • Donato Scaramuzzo, www.linkedin.com/in/donato-scaramuzzo-1911b83a | Broken Authentication and Session Management
  • Emanuele Gentili, twitter.com/emgent | HTML Code injections, XSS vulnerability, Redirect, Security Misconfiguration
  • Ezio Paglia, www.linkedin.com/in/ezio-paglia-3704196 | Multiple Security Misconfigurations, Multiple XSS vulnerabilities
  • Fabio Pietrosanti, twitter.com/fpietrosanti | Security Misconfiguration
  • Federico Camponogara, www.linkedin.com/in/federico-shellock-ab616a30| Redirect, Broken Access Control, Security Misconfiguration
  • Federico Valentini, twitter.com/f3d_0x0 | SQL injection
  • Federico Zambito, www.linkedin.com/in/federico-zambito-2b967571 | Redirect
  • Frank Vickers, www.linkedin.com/in/frank-vickers-199109a | Multiple Security Misconfigurations
  • Giovanni Guido, twitter.com/cafebab3 | XSS vulnerability
  • Giulio Comi, linkedin.com/in/giuliocomi | Remote code execution
  • Ismail Tasdelen, www.linkedin.com/in/ismailtasdelen | Multiple Security Misconfigurations
  • Jacopo Jannone, www.jacopojannone.com | XSS vulnerability
  • Jose Carlos Exposito Bueno | Multiple XSS vulnerabilities, SQL injection
  • Kasper Karlsson | XSS vulnerability
  • Lorenzo Comi, www.linkedin.com/in/lorenzo-comi-53b94789 | SQL Injection, Broken Authentication and Session Management
  • Lorenzo Stella, www.linkedin.com/in/stellalorenzo | Security Misconfiguration, Underprotected API
  • Luca Capacci, www.linkedin.com/in/lucacapacci | Redirect
  • Luigi Gubello, www.gubello.me | Multiple XSS vulnerabilities
  • Marco Nappi, www.linkedin.com/in/marco-nappi-a58224157/ | Multiple XSS vulnerabilities
  • Mattia Reggiani, twitter.com/mattia_reggiani | XSS vulnerability
  • Mert Can Esen, www.linkedin.com/in/mertcanesen | XSS vulnerability
  • Michele Toccagni, hacktips.it | SQL injection, XSS vulnerability, Multiple Security Misconfigurations
  • Mohamed Ouad, www.linkedin.com/in/ouadmoha | Broken Authentication and Session Management, Underprotected API
  • Paolo Giai | keybase.io/polict | XSS vulnerability
  • Paolo Montesel, twitter.com/pmontesel | Underprotected API
  • Paolo Stagno, voidsec.com | XSS vulnerability, Redirect
  • Pasquale Fiorillo, www.pasqualefiorillo.it | XSS vulnerability, Multiple SQL injections
  • Raffaele Forte, backbox.org | Remote Code Execution
  • Raffaele Sabato, syrion.me | Multiple Security Misconfigurations
  • Shubham Pathak, twitter.com/ShubhamPthk | Multiple Security Misconfigurations
  • Simone Cardona, www.linkedin.com/in/simone-cardona | Multiple XSS vulnerabilities, Redirect, Security, Misconfiguration
  • Simone Onofri, it.linkedin.com/in/simoneonofri | XSS vulnerability, Redirect
  • Simone Quatrini | Security Misconfiguration, XSS vulnerability
  • Valerio Mancini, www.linkedin.com/in/valerio-mancini-2520a067 | Remote code execution
  • Vincenzo Chieppa, twitter.com/Procode701 | XSS vulnerability, SQL injection
  • Vishal Jain, linkedin.com/in/vishaljain113 | Security Misconfiguration