Responsible disclosure

Nokia Networks position on responsible vulnerability disclosure

This page is intended for security researchers, who are not directly affiliated with Nokia Networks' customers. For our customers, we recommend to use the official contact point in your customer team.

Nokia Networks is committed to high security standards. We recognize the critical importance of telecommunications in the modern world, and strive to be the frontline of protecting networks. In any instance of a vulnerability being found in any of our products, it is vital that we are notified as early as possible to prevent any potential damage.

To alert us please email security-alert [at] nsn [dot] com. You are welcome to use the PGP key associated with this email address; key ID is 08EA 4CB7 (available on public keyservers).

We will acknowledge the receipt of your report within 5 working days (subject to public holidays in the countries where we operate), and provide you with a report and the estimated fix release date within two weeks. While we aim to adhere to a "reasonable resolution time" set by many software companies, we are unable to promise a set resolution date. There are several reasons for such caution, for example the telecommunication industry is heavily controlled by standards and government regulations, and if a change requires agreements with either the resolution date may be delayed.

For any new acknowledged vulnerability, we will include the name of the first reporter in our Hall of fame below.

It may be that after the release of the fix, our customers receive corresponding security update in different time periods, as there may be different agreements on schedules of patch delivery. Because of that, public disclosure of vulnerabilities even after the patch day might potentially put certain networks at risk. We kindly ask researchers to consider this fact.

Finally, we would like to thank all of you for making telecommunication networks more secure.

Nokia Networks product security team.

Hall of fame

We would like to thank the following people who have found vulnerabilities in Nokia Networks products and have made a responsible disclosure to us:

- Please be the first one to show your security competence!

We would like to thank the following people who have found new vulnerabilities in Nokia Networks web pages and have made a responsible disclosure to us. The individuals who found 5 or more new vulnerabilities, are additionally granted with prime reporter status:

November 2012:

December 2012:

January 2013:

August 2013:

September 2013:

October 2013:

November 2013:

December 2013:

January 2014:

February 2014:

March 2014:

April 2014:

May 2014:

June 2014

Thank you and congratulations for demonstrating your technical skills, security knowledge, and responsible behavior!