VODAFONE IDEA LIMITED believes in keeping its customer data secure and private. Security is a business priority for us, and our way of demonstrating that priority is by ensuring that our Responsible Disclosure Policy allows the cyber security and research community an opportunity to notify us of security vulnerabilities that may impact the safety of our customers.
We value the expertise and help of the cyber security and Research community in helping us maintain our high security standards. Vi encourages Security Researchers to keep us informed so as to ensure the security community can potentially avert security breaches and loss of sensitive data. You can use this site to report any suspected security vulnerabilities related to our services or products.
If you are aware of a vulnerability that could affect Vodafone Idea Limited’s services or products, please contact us via the link disclosed under “How to Report a Vulnerability”. Our security specialists will review all submissions and, where required, we will work on the vulnerability to make sure we are able to fix any potential issues as quickly as possible.
We will not take any legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.
1. Vulnerability Submission Guidelines-
- Do submit your reports in English
- Do exercise caution and restraint about personal data and do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Vodafone Idea Limited property or spamming or otherwise causing a nuisance to other users.
- Do provide Proof-of-Concept or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.
- Do not abuse the vulnerability by causing disruption through your actions.
- Do not share information about the vulnerability with others until it has been resolved in accordance.
- Do submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
2. Our Responsibility –
- The finder’s personal details with third parties without their authorization, unless required to do so, to comply with legal obligations will be treated as confidential.
- We will investigate any details you provide and respond as soon as possible. To acknowledge the first person who alerts us to previously unknown vulnerabilities, we will show our gratitude by placing their name in the Acknowledgements list below. We do not offer a public bug bounty program and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.
3. Confidentiality Agreement –
Do not disclose confidential information, including details on your submission, without prior and explicit consent from VODAFONE IDEA LIMITED.
4. Vulnerability Submission –
Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Please, follow below procedure for submission of the vulnerability and mail us at Vil.Cdc@vodafoneidea.com
- Title (Let us know what the vulnerability is all about).
- Vulnerability Details (Please let us find the URL/Location of Vulnerability)
- Vulnerability Description (We would like to know more about the vulnerability and its impact with a proof of concept or steps of replication)
- Attachments of proof (such as screenshots, screen recordings).
- Researcher Email (Optional)
- Confirmation to the submission is accurate and relevant to VODAFONE IDEA LIMITED’s terms & Condition
5. Non-Vulnerability Issue Submission –
If you want to report any other type of issue not related to security (e.g. customer complaints, billing issues, etc.) , please reach out to firstname.lastname@example.org
“Vi learnt about a potential vulnerability in billing communication. This was immediately fixed and a thorough forensic analysis was conducted to ascertain no data breach.
Vi follows adequate security protocols including the Responsible Disclosure Policy published here on our website.
Vi has notified appropriate agencies about this and the proactive measures taken by us to avert any threat.”
24th August, 2022