Details

Report content

Your report must contain all the information we need to confirm the vulnerability. This includes:

type of security vulnerability
exact details of the product/service concerned
clear and comprehensible description of the vulnerability and all information necessary to identify the affected system
potential exploitation of the vulnerability must be clearly verifiable, for example with step by step instructions
additional information such as PoC scripts, screenshots, HTTP requests etc.

Reports about the following issues and systems are considered irrelevant:

The absence of a security feature alone or disclosure of too much non-sensitive information do not constitute a security vulnerability. Examples:
Information Disclosure without disclosing sensitive data
Clickjacking
Open Redirects
Issues about systems with these domains: *.cust.swisscom.ch
Reports about Fastweb

Basic principle

All those involved in the collaboration between Swisscom and the security community observe the following rules:

vulnerabilities are handled in accordance with the principle of responsible disclosure (see below)
only Swisscom is notified
all activities leading to the discovery of a security gap are conducted within the bounds of the law
bounties may be awarded. The bounty amount depends on the criticality of the vulnerability and on the quality of the documentation provided to Swisscom.

Responsible disclosure

Swisscom's understanding of responsible disclosure:

Swisscom has sufficient time, typically at least 90 days, to verify and eliminate the vulnerability.
The tests must not impair Swisscom services and products
Third-party data may not be spied out or disclosed
No third parties should be informed about the vulnerability
Claims related to the reporting of a vulnerability will not be considered

Procedure

Swisscom CSIRT bears responsibility for a standardised procedure that accepts externally reported security vulnerabilities, remediates and publishes them in a coordinated manner as appropriate.

Report content

Your report must contain all the information we need to confirm the vulnerability. This includes:

type of security vulnerability

exact details of the product/service concerned

clear and comprehensible description of the vulnerability and all information necessary to identify the affected system

potential exploitation of the vulnerability must be clearly verifiable, for example with step by step instructions

additional information such as PoC scripts, screenshots, HTTP requests etc.

Reports about the following issues and systems are considered irrelevant:

The absence of a security feature alone or disclosure of too much non-sensitive information do not constitute a security vulnerability. Examples:

Information Disclosure without disclosing sensitive data

Clickjacking

Open Redirects

Issues about systems with these domains: *.cust.swisscom.ch

Reports about Fastweb

Basic principle

All those involved in the collaboration between Swisscom and the security community observe the following rules:

vulnerabilities are handled in accordance with the principle of responsible disclosure (see below)

only Swisscom is notified

all activities leading to the discovery of a security gap are conducted within the bounds of the law

bounties may be awarded. The bounty amount depends on the criticality of the vulnerability and on the quality of the documentation provided to Swisscom.

Responsible disclosure

Swisscom's understanding of responsible disclosure:

Swisscom has sufficient time, typically at least 90 days, to verify and eliminate the vulnerability.

The tests must not impair Swisscom services and products

Third-party data may not be spied out or disclosed

No third parties should be informed about the vulnerability

Claims related to the reporting of a vulnerability will not be considered