Reporting vulnerabilities
We value the expertise and help of the cyber security community in helping us maintain our high security standards. You can use this site to report any suspected security vulnerabilities related to our services or products.
If you are aware of a vulnerability that could affect Vodafone’s services or products, please contact us via the link disclosed under “How to Report a Vulnerability”. Our security specialists will review all submissions and, where required, work with you to make sure we are able to fix any potential issues as quickly as possible.
Rules of engagement
Vulnerability disclosure policy guidelines
As a responsible member of the cyber security community, your expertise can help us fix potential issues faster and more effectively. If you find a suspected vulnerability relevant to Vodafone, please let us know so we can fix the problem as soon as possible.
- Do submit your reports in English
- Do exercise caution and restraint with regard to personal data and do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Vodafone property or spamming or otherwise causing a nuisance to other users.
- Do provide Proof-of-Concept or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.
- Do not abuse the vulnerability by causing disruption through your actions.
- Do not share information about the vulnerability with others until it has been resolved.
- Do submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Treat submitted reports confidentially and will not share the finder’s personal details with third parties without their authorisation, unless required in order to do so to comply with legal obligations.
- Resolve all submitted reports as quickly as possible.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
- Open redirect – unless an additional security impact can be demonstrated
- Issues that require unlikely user interaction
- Static resources / public information “exposed”
- Physical attacks towards any Vodafone property
If you want to report any other type of issue not related to security, please refer to the support or contact pages of Vodafone.
Program is for invitees, if you would like to be invited for enrollment, please send us your name, date of birth, and your HackerOne user ID through “security(at)vodafone(dot)om”