Follow Swisscom Subscribe to News Network status Contact
Follow Swisscom Subscribe to News Network status Contact

Bug Bounty

More

    Bug Bounty: closes security gaps

    Our Bug Bounty programme supports the reporting and quick elimination of security gaps (bugs) in our products and services. We invite both private individuals and organisations to report weak points to our Computer Security Incident Response Team (CSIRT).

    Report security gaps

    Please report any security vulnerability directly on our portal:

    Bug Bounty Portal

    For any other inquiries regarding the Bug Bounty programme please contact us by e-mail:

    bug.bounty@swisscom.com

    PGP key id EACE7621
    PGP fingerprint 0D9E 4E7C AA3D 666F 7AA8  2126 FA1E 1D53 EACE 7621
    PGP public key public key
    Postal address
    		 Swisscom (Switzerland) Ltd
    GSE-CYD
    Alte Tiefenaustrasse 6
    CH-3048 Worblaufen

    Report content

    Your report must contain all the information we need to confirm the vulnerability. This includes:
     

    • type of security vulnerability
    • exact details of the product/service concerned
    • clear and comprehensible description of the vulnerability and all information necessary to identify the affected system
    • potential exploitation of the vulnerability must be clearly verifiable, for example with step by step instructions
    • additional information such as PoC scripts, screenshots, HTTP requests etc.

    Reports about the following issues and systems are considered irrelevant:
     

    • The absence of a security feature alone or disclosure of too much non-sensitive information do not constitute a security vulnerability. Examples:
      •   Information Disclosure without disclosing sensitive data
      •   Clickjacking
      •   Open Redirects
    • Issues about systems with these domains: *.cust.swisscom.ch
    • Reports about Fastweb

    Basic principle

    All those involved in the collaboration between Swisscom and the security community observe the following rules:
     

    • vulnerabilities are handled in accordance with the principle of responsible disclosure (see below)
    • only Swisscom is notified
    • all activities leading to the discovery of a security gap are conducted within the bounds of the law
    • bounties may be awarded. The bounty amount depends on the criticality of the vulnerability and on the quality of the documentation provided to Swisscom.

    Responsible disclosure

    Swisscom's understanding of responsible disclosure:
     

    • Swisscom has sufficient time, typically at least 90 days, to verify and eliminate the vulnerability.
    • The tests must not impair Swisscom services and products
    • Third-party data may not be spied out or disclosed
    • No third parties should be informed about the vulnerability
    • Claims related to the reporting of a vulnerability will not be considered.

    Procedure

    Swisscom CSIRT bears responsibility for a standardised procedure that accepts externally reported security vulnerabilities, remediates and publishes them in a coordinated manner as appropriate.

    Remediated security vulnerabilities

    ID Product concerned Credits
    CVE-2020-16134
    		 Swisscom Internet-Box Martin Jindra – digi.ch GmbH
    CVE-2019-19940
    CVE-2019-19941
    CVE-2019-19942    		 Swisscom Centro Grande,
    Swisscom Centro Business    		 Cyril Mueller
    SCBB-2986 Tufin Secure Change Raphaël Arrouas
    SCBB-2629 Swisscom Internet Box Matthias Galliker
    CVE-2018-16596 Swisscom Internet-Box Michael Mazzolini – GoldNetwork

    CVE-2018-15476

    CVE-2018-15477

    CVE-2018-15478

    CVE-2018-15479

    CVE-2018-15480

    		 myStrom WiFi Product Line Jan Almeroth (@almeroth)
    CVE-2018-13108 Centro Business (ADB) Johannes Greil (Office Vienna), SEC Consult Vulnerability Lab
    CVE-2018-6765 Swisscom MySwisscomAssistant Kushal Arvind Shah, Fortinet FortiGuard Labs
    CVE-2018-6766 Swisscom TVMediaHelper Kushal Arvind Shah, Fortinet FortiGuard Labs
    CVE-2016-10042 Swisscom Internet Box (Arcadyan) Mateusz Khalil
    2016-6270433 Swisscom DSL Router Centro Grande (ARRIS/Motorola) Matthias Galliker
    CVE-2015-6498 Home Device Manager, Alcatel-Lucent Dr. Ulrich Fiedler,
    BFH-TI Biel/Bienne
    CVE-2015-1188 Swisscom DSL Router Centro Grande (ADB), ADB Ivan Almuina
    CVE-2015-1187 D-Link DIR636L, D-Link Tiago Caetano Henriques
    CVE-2014-3809 1830 Photonic Service Switch, Alcatel-Lucent Stephan Rickauer

    Company

    Investors

    News

    Jobs

    Residential

    Business