Vodafone Vulnerability Disclosure Program

Introduction

We value the expertise and support of the cybersecurity community in maintaining our high security standards. You can use this site to report suspected security vulnerabilities in Vodafone services or products.

If you are aware of a vulnerability that could affect Vodafone's services or products, please submit it through our HackerOne program. Our security specialists will review all submissions and, where required, work with you to resolve any potential issues as quickly as possible.

Program Highlights

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.

Top Response Efficiency — This program's response efficiency is above 90%.

Managed by HackerOne

• Average time to first response: 6 hours
• Average time to triage: 1 day, 4 hours
• Average time to resolution: 4 weeks, 1 day

Scope Exclusions

The following are out of scope:

• MITM: Attacks requiring MITM
• Known Vulnerable Libraries: Previously known vulnerable libraries without a working Proof of Concept
• Bruteforce: Bruteforce issues on non-authentication endpoints
• Storage Buckets: Static resources / public information "exposed" in storage buckets

Overview

Vodafone is a telecommunications company who provide internet services for businesses and consumers in a number of regions. Due to the nature of our business, there are many Autonomous System (AS) Numbers and IP address ranges that are registered to us with the various Regional Internet Registries.

As an internet service provider, we assign these IP addresses to our customers, who use them for many different purposes and without any input or interaction from Vodafone. If you are scanning public IP address ranges and identify vulnerabilities on assets that, when searched on common IP look-up tools, state they are Vodafone, please take additional steps to validate that the services you have identified are actually owned and administered by Vodafone before reporting to us.

To summarise, not everything that has "vodafone" in its FQDN actually belongs to us or is within our scope. If you discover vulnerabilities in services hosted by Vodafone but owned by third parties, please report them to the application's owner. Please note that in this situation, no permission to test has been granted by Vodafone or any of its subsidiaries.

Vodafone-Specific Requirements

HTTP Headers

To help us distinguish legitimate security research from malicious traffic, please add the following custom HTTP header to all your requests: X-HackerOne-Research: [H1 Username]

Asset Validation

Validate that the service you are reporting against is actually owned by Vodafone, and is not just running on an IP address within our customer-assigned IP address pools – for example, visit the service on an HTTP port and verify whether it is a Vodafone-owned website.

Reporting Requirements

• Submit reports in English
• Provide sufficient proof-of-concept to enable reproduction and verification of the vulnerability

General Disclosure

This program follows HackerOne's standard disclosure guidelines. All vulnerabilities are strictly confidential, therefore public disclosure of your findings via a blog post, social media, or any other type of medium is not allowed.

Vodafone Commitments

• We treat all submitted reports confidentially and will not share the researcher personal details with third parties without authorisation, except when required by legal obligations.
• We will resolve all submitted reports as quickly as possible.

Reporting Other Non-Vulnerability Issues

If you want to report any other issue not related to security, please refer to the support or contact pages of the relevant Vodafone Local Market, Vodafone Partner Market, or Vodafone Business website.