RESPONSIBLE DISCLOSURE

Reporting Vulnerabilities

 

VODAFONE IDEA LIMITED believes in keeping its customer data secure and private. Security is a business priority for us, and our way of demonstrating that priority is by ensuring that our Responsible Disclosure Policy allows the cyber security and research community an opportunity to notify us of security vulnerabilities that may impact the safety of our customers.

 

We value the expertise and help of the cyber security and Research community in helping us maintain our high security standards. Vi encourages Security Researchers to keep us informed so as to ensure the security community can potentially avert security breaches and loss of sensitive data. You can use this site to report any suspected security vulnerabilities related to our services or products.

 

If you are aware of a vulnerability that could affect Vodafone Idea Limited’s services or products, please contact us via the link disclosed under “How to Report a Vulnerability”. Our security specialists will review all submissions and, where required, we will work on the vulnerability to make sure we are able to fix any potential issues as quickly as possible.

 

We will not take any legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.

 

1.       Vulnerability Submission Guidelines-

  • Do submit your reports in English
  • Do exercise caution and restraint about personal data and do not intentionally engage in attacks against third parties, social engineering, denial-of-service attacks, physical attacks on any Vodafone Idea Limited property or spamming or otherwise causing a nuisance to other users.
  • Do provide Proof-of-Concept or sufficient information to enable reproduction of the vulnerability, so that it can be verified, reproduced, and possible remedies identified. Generally, identification of the vulnerable target, a description of the vulnerability and operations carried out to exploit the vulnerability are sufficient, but more details and information might be required in the case of complex vulnerabilities.
  • Do not abuse the vulnerability by causing disruption through your actions.
  • Do not share information about the vulnerability with others until it has been resolved in accordance.
  • Do submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

 

2.      Our Responsibility

  • The finder’s personal details with third parties without their authorization, unless required to do so, to comply with legal obligations will be treated as confidential.
  • We will investigate any details you provide and respond as soon as possible. To acknowledge the first person who alerts us to previously unknown vulnerabilities, we will show our gratitude by placing their name in the Acknowledgements list below. We do not offer a public bug bounty program and compensation requests will not be considered in compliance with this Responsible Disclosure Policy.

 

3.     Confidentiality Agreement

Do not disclose confidential information, including details on your submission, without prior and explicit consent from VODAFONE IDEA LIMITED.

 

4.     Vulnerability Submission

Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Please, follow below procedure for submission of the vulnerability and mail us at vulnerability.disclosure@vodafoneidea.com

 

  • Title (Let us know what the vulnerability is all about).
  • Vulnerability Details (Please let us find the URL/Location of Vulnerability)
  • Vulnerability Description (We would like to know more about the vulnerability and its impact with a proof of concept or steps of replication)
  • Attachments of proof (such as screenshots, screen recordings).
  • Researcher Email (Optional)
  • Confirmation to the submission is accurate and relevant to VODAFONE IDEA LIMITED’s terms & Condition 

 

5.     Non-qualifying vulnerability submission -

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

 

  • Clickjacking on pages with no sensitive actions
  • Ability to perform an action unavailable via user interface without identified security risks
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Disclosure of private IP addresses or domains pointing to private IP addresses
  • Leakage of sensitive tokens (e.g. password reset token) to trusted third parties on secure connection (HTTPS)
  • Self-XSS (tricking someone to running scripts on their console).
  • Missing best practices in HTTP headers without demonstrating a vulnerability
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication / sensitive endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
  • Tabnabbing
  • Open redirect - unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Static resources / public information "exposed" in storage buckets, unless an impact can be demonstrated
  • Unauthenticated CORS leading to no sensitive exposure or impact
  • Physical attacks towards any Vodafone property
  • Weak Captcha / Captcha Bypass
  • Lack of a session timeout
  • Vulnerabilities that have been recently published (less than 30 days)
  • Vulnerabilities that have already been reported/fix in progress.
  • “Cross Domain Referrer Leakage”, unless the referrer string contains privileged or private information

 

6.     Non-Vulnerability Issue Submission

If you want to report any other type of issue not related to security (e.g. customer complaints, billing issues, etc.) , please reach out to customercare@vodafoneidea.com

 

__________________________                               

 

Public Statement:

“Vi learnt about a potential vulnerability in billing communication. This was immediately fixed and a thorough forensic analysis was conducted to ascertain no data breach.
Vi follows adequate security protocols including the Responsible Disclosure Policy published here on our website.
Vi has notified appropriate agencies about this and the proactive measures taken by us to avert any threat.”

24th August, 2022