Bug Bounty: closes security gaps

Our Bug Bounty programme supports the reporting and quick elimination of security gaps (bugs) in our products and services. We invite both private individuals and organisations to report weak points to our Computer Security Incident Response Team (CSIRT).

Report security gaps

Please report any security vulnerability directly on our portal:

Bug Bounty Portal

For any other inquiries regarding the Bug Bounty programme please contact us by e-mail:

bug.bounty@swisscom.com

PGP key id	EACE7621
PGP fingerprint	0D9E 4E7C AA3D 666F 7AA8 2126 FA1E 1D53 EACE 7621
PGP public key	public key
Postal address	Swisscom (Switzerland) Ltd GSE-CYD Alte Tiefenaustrasse 6 CH-3048 Worblaufen

Report content

Your report must contain all the information we need to confirm the vulnerability. This includes:

type of security vulnerability
exact details of the product/service concerned
clear and comprehensible description of the vulnerability and all information necessary to identify the affected system
potential exploitation of the vulnerability must be clearly verifiable, for example with step by step instructions
additional information such as PoC scripts, screenshots, HTTP requests etc.

Reports about the following issues and systems are considered irrelevant:

The absence of a security feature alone or disclosure of too much non-sensitive information do not constitute a security vulnerability. Examples:
- Information Disclosure without disclosing sensitive data
- Clickjacking
- Open Redirects
Issues about systems with these domains: *.cust.swisscom.ch
Reports about Fastweb

Basic principle

All those involved in the collaboration between Swisscom and the security community observe the following rules:

vulnerabilities are handled in accordance with the principle of responsible disclosure (see below)
only Swisscom is notified
all activities leading to the discovery of a security gap are conducted within the bounds of the law
bounties may be awarded. The bounty amount depends on the criticality of the vulnerability and on the quality of the documentation provided to Swisscom.

Responsible disclosure

Swisscom's understanding of responsible disclosure:

Swisscom has sufficient time, typically at least 90 days, to verify and eliminate the vulnerability.
The tests must not impair Swisscom services and products
Third-party data may not be spied out or disclosed
No third parties should be informed about the vulnerability
Claims related to the reporting of a vulnerability will not be considered.

Procedure

Swisscom CSIRT bears responsibility for a standardised procedure that accepts externally reported security vulnerabilities, remediates and publishes them in a coordinated manner as appropriate.

Remediated security vulnerabilities

ID	Product concerned	Credits
CVE-2020-16134	Swisscom Internet-Box	Martin Jindra – digi.ch GmbH
CVE-2019-19940 CVE-2019-19941 CVE-2019-19942	Swisscom Centro Grande, Swisscom Centro Business	Cyril Mueller
SCBB-2986	Tufin Secure Change	Raphaël Arrouas
SCBB-2629	Swisscom Internet Box	Matthias Galliker
CVE-2018-16596	Swisscom Internet-Box	Michael Mazzolini – GoldNetwork
CVE-2018-15476 CVE-2018-15477 CVE-2018-15478 CVE-2018-15479 CVE-2018-15480	myStrom WiFi Product Line	Jan Almeroth (@almeroth)
CVE-2018-13108	Centro Business (ADB)	Johannes Greil (Office Vienna), SEC Consult Vulnerability Lab
CVE-2018-6765	Swisscom MySwisscomAssistant	Kushal Arvind Shah, Fortinet FortiGuard Labs
CVE-2018-6766	Swisscom TVMediaHelper	Kushal Arvind Shah, Fortinet FortiGuard Labs
CVE-2016-10042	Swisscom Internet Box (Arcadyan)	Mateusz Khalil
2016-6270433	Swisscom DSL Router Centro Grande (ARRIS/Motorola)	Matthias Galliker
CVE-2015-6498	Home Device Manager, Alcatel-Lucent	Dr. Ulrich Fiedler, BFH-TI Biel/Bienne
CVE-2015-1188	Swisscom DSL Router Centro Grande (ADB), ADB	Ivan Almuina
CVE-2015-1187	D-Link DIR636L, D-Link	Tiago Caetano Henriques
CVE-2014-3809	1830 Photonic Service Switch, Alcatel-Lucent	Stephan Rickauer