- Portfolio
- Portfolio A to Z
- Products
- Solutions
- Security
- Carrier Ethernet Transport
- Customer Care Automation
- Customer Experience Management (CEM) for Liquid Net
- Device Management
- Heterogeneous Networks
- Integrated Packet Transport Network
- Mobile Backhaul
- Mobile Site Connectivity
- Multi Vendor Configuration Management and Optimization
- Multilayer Optimization
- Multiservice IP Backbone
- Network Sharing
- Operator Content Delivery Network (CDN)
- Policy Integration Package
- Quality of Service Differentiation
- Self Organizing Networks
- Service Operations and Management
- Smartphone Friendly Networks
- Subscriber Data Management
- Voice over LTE
- WCDMA Refarming
- Services
- Industries
- Endorsements
- Liquid Net
- Customer Experience Management
- Latest launches and updates
- Business Needs
- News & Events
- Innovative thinking
- Support
- About us
PrintNokia Siemens Networks position on responsible vulnerability disclosure
This page is intended for security researchers, who are not directly affiliated with Nokia Siemens Networks' customers. For our customers, we recommend to use the official contact point in your customer team.
Nokia Siemens Networks is committed to high security standards. We recognize the critical importance of telecommunications in the modern world, and strive to be the frontline of protecting networks. In any instance of a vulnerability being found in any of our products, it is vital that we are notified as early as possible to prevent any potential damage.
To alert us please email security-alert [at] nsn [dot] com. You are welcome to use the PGP key associated with this email address; key ID is 08EA 4CB7 (available on public keyservers).
We will acknowledge the receipt of your report within 5 working days (subject to public holidays in the countries where we operate), and provide you with a report and the estimated fix release date within two weeks. While we aim to adhere to a "reasonable resolution time" set by many software companies, we are unable to promise a set resolution date. There are several reasons for such caution, for example the telecommunication industry is heavily controlled by standards and government regulations, and if a change requires agreements with either the resolution date may be delayed.
For any new acknowledged vulnerability, we will include the name of the first reporter in our Hall of fame below.
It may be that after the release of the fix, our customers receive corresponding security update in different time periods, as there may be different agreements on schedules of patch delivery. Because of that, public disclosure of vulnerabilities even after the patch day might potentially put certain networks at risk. We kindly ask researchers to consider this fact.
Finally, we would like to thank all of you for making telecommunication networks more secure.
Nokia Siemens Networks product security team.
Hall of fame
We would like to thank the following people who have found vulnerabilities in Nokia Siemens Networks products and have made a responsible disclosure to us:
- Please be the first one to show your security competence!
We would like to thank the following people who have found new vulnerabilities in Nokia Siemens Networks web pages and have made a responsible disclosure to us. The individuals who found 5 or more new vulnerabilities, are additionally granted with prime reporter status:
November 2012:
- Ashar Javed (@soaj1664ashar)
- Guifre Ruiz Utges (Buguroo Offensive Security)
- Atulkumar Hariba Shedage (@atul_shedage)
- Rafay Baloch (rafayhackingarticles.net)
- David Vieira-Kurz of MajorSecurity (@secalert) - prime reporter!
- Vignesh Kumar(@vigneshkumarmr)
- Mathias Karlsson (@detectify, detectify.com)
- Siddhesh Gawde, Dylan S. Hailey (@TibitXimer)
- SimranJeet Singh(@Turbanator sJs) - Indishell
- Mohamed Ramadan (Attack-Secure.com) - prime reporter!
- Prakhar Prasad (prakharpd.blogspot.com, @prakharprasad)
- Wan Ikram (@rinakikun)
- Ajay Singh Negi (@ajaysinghnegi, computersecuritywithethicalhacking.blogspot.in)
- Ahmad Ashraff (@yappare) - prime reporter!
- Yuji Kosuga (@yujikosuga, yujikosuga.com)
- Karthik P (@karthik_panjaje, uglypointer.com)
- Frans Rosén (@detectify, detectify.com)
December 2012:
- Avram Marius Gabriel (www.randomstorm.com)
- Jean Pascal Pereira (www.secbiz.de)
- David Vieira-Kurz of MajorSecurity (@secalert)
- Himanshu Kumar Das (@mehimansu)
- Ahmad Ashraff (@yappare)
- Fredrik Nordberg Almroth (@detectify, detectify.com) - prime reporter!
- Peter Jaric (@peterjaric, javahacker.com)
- Vignesh Kumar(@vigneshkumarmr)
- Christy Philip Mathew
- Vikas Chopalli
- Thamatam Deepak
January 2013:
- Zakaria Amous
- Danijel Maksimović Maxone(@MaXon3)
- Alok J. Sudhakar (@annonymizeralok), Team Security Primes
- Kamil Sevi (@kamilsevi)
- David Vieira-Kurz of MajorSecurity (@secalert)
- Ahmad Ashraff (@yappare)
Thank you and congratulations for demonstrating your technical skills, security knowledge, and responsible behavior!