Coordinated Vulnerability Disclosure (CVD)

ETSI has provided a place for individuals or organizations to responsibly disclose a vulnerability that they have found in ETSI standards. The full ETSI CVD Process is described transparently on this page, from the moment of reporting to the resolution of the vulnerability, where ETSI works with its members, spanning over 60 countries and five continents, to develop fixes.

Please find information in the following sections, including how to report a vulnerability.

CVD Process Legal Notice Report a Vulnerability Hall of Fame

As a world-leading standards organization, ETSI recognizes the value of a Coordinated Vulnerability Disclosure process in improving the security of its standards. Importantly, ETSI aims to resolve all valid vulnerabilities within 90 days of reporting.

All reports are examined thoroughly, and our Hall of Fame acknowledges those Finders who submitted validated vulnerabilities to ETSI's CVD Process and opted-in to public recognition.

Note: Disclosures to ETSI's CVD Process must focus on ETSI standards.

Definitions

ETSI CVD Steering Committee: committee which, for each vulnerability report, triages the vulnerability, interacts with the Chair and the ETSI Technical Officer for the relevant TB/ISG and the rapporteur(s) of the impacted standard(s) to resolve the vulnerability, and communicates on the progress of the handling of the vulnerability report with the Finder. 

Finder: individual or organization who has found a potential vulnerability

Vulnerability: security weakness that can be abused to cause unintended behaviour

CVD process

This section describes the CVD process, from submission of the vulnerability report to its resolution.

Once a vulnerability report is submitted by a Finder, it is shared with the ETSI CVD Steering Committee. They triage the vulnerability and share the report with the Chair and the ETSI Technical Officer for the relevant TB/ISG and the rapporteur(s) of the impacted standard(s). The Finder will receive an email from the ETSI CVD Steering Committee that the report has progressed to the impacted TB/ISG. Next, the impacted TB/ISG assesses the vulnerability report at a committee-wide meeting. The vulnerability is assessed, and either accepted or rejected as to its validity. In either case, the Finder is notified. If the vulnerability report is assessed as valid, the impacted TB/ISG works to create a resolution. The resolution is prepared and adopted using the ETSI decision-making procedures by the impacted TB/ISG, and the Finder is informed by email of what the resolution is and that it has been made. ETSI aims to resolve all valid vulnerabilities within 90 days of reporting though it may take longer for complicated fixes. If the Finder has opted-in to public recognition, he/she may be added to ETSI's Hall of Fame.

CVD Legal Notice

As the ETSI Coordinated Vulnerability Disclosure (CVD) Process is designed to benefit the security of ETSI  standards, the ETSI CVD Steering Committee, ETSI, its staff and members do not warrant or assume any liability for the responsibilities of this process, or "Vulnerability Resolution" outcomes, and any other activities or milestones set forth by ETSI. Each beneficiary of this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.

The vulnerability will be handled in accordance with the ETSI CVD Process. Disclosures to ETSI's CVD Process must focus on ETSI standards. Disclosures outside of this scope will not be addressed by ETSI. 

Taking into consideration that ETSI is a not-for-profit association, disclosures to the ETSI CVD Process will not generate any financial compensation for the Finder.

Finder Responsibilities

When submitting a vulnerability report, the Finder (individual or organization who has found a potential vulnerability) commits to:

Only share findings with ETSI using the vulnerability report form Provide a Proof-of-Concept and/or sufficient information to enable reproduction of the vulnerability. This allows the vulnerability report to be verified and allows possible fixes to be proposed. Submit vulnerabilities pertaining only to ETSI standards

ETSI also requests that the Finder undertakes not to disclose the vulnerability with other people until it has been resolved by ETSI, not to use the vulnerability for exploitation beyond the minimum necessary to demonstrate the vulnerability, and not to leverage the vulnerability for financial gain. As far as possible, these resolutions will happen within 90 days, when the vulnerability has been assessed as valid, in accordance with ETSI's CVD process timeframes.

ETSI Responsibilities

ETSI will:

Treat submitted reports confidentially. ETSI will not share the Finder's details with third parties without the Finder’s authorization, unless legally required to do so.  Accept reports from anonymous Finders. However, Finders engaging anonymously accept that ETSI may be unable to contact them on topics concerning but not limited to: the vulnerability, progress towards resolution of the vulnerability, publication of the vulnerability, inclusion in the Hall of Fame. Acknowledge the vulnerability report submitted by the Finder within 7 days of its submission, if the Finder is not anonymous. Keep the Finder updated of progress throughout the process, except when this is not possible due to the Finder engaging anonymously. Aim to resolve valid vulnerabilities within 90 days. However, there may be times where fast resolution or any resolution is not a possible option, for a variety of reasons.  If the Finder opts in, ETSI may recognize the Finder on its Hall of Fame webpage. Entry to the Hall of Fame is determined solely by ETSI on a case-by-case basis. Eligibility will depend on factors such as the accuracy of the vulnerability claims and the Finder's compliance to Finder responsibilities.

Report a Vulnerability

To report a vulnerability on 3GPP specifications, please use the 3GP CVD Process.

 

Drawing on 30 years of experience we have evolved a well proven standards-making process which ensures our standards are of high quality and produced efficiently.

All our standards conform to our highly respected Intellectual Property Rights (IPR) policy, which balances the needs of standardization for public use with the rights of the owners of IPRs. 

Consensus & transparency

ETSI’s standards-making process is based on consensus – agreement between our members – and on openness. Our members decide:

what to standardize the timing and resourcing of the task the approval of the final drafts

So, the standards we produce truly respond to the needs of the ICT industry, as represented by our members.

Creating a standard

A proposal to start an item of work, such as to create a new standard or to update an existing one, must be supported by at least four members of ETSI and be agreed by the relevant standards group.

Who writes the standards? Technical committees or other types of working groups, made up of representatives of our members and led by a ‘Rapporteur’, draft most of our standards. Our members may participate in any group and work activity (other than certain security-related work where participation is controlled by the ETSI Board).  Specialist Task Forces (STFs) set up to accelerate the work where there is an urgent need. STFs are groups of technical experts who come together for a defined period to work intensively on specific items. Industry Specification Groups offering an effective alternative to industry fora. They can be set up quickly to address specific technology areas. Who approves the standards?

Depending on the document type, it will be approved by either:

the participants in the relevant committee or the entire ETSI membership or the National Standardisation Bodies

In the case of elaborated European Standards on proposal from at least four (4) Full and/or Associate members, ETSI's National Standards Bodies give the final approval. 

In the case of elaborated European Standards or European standardisation deliverables in response to Standardisation Requests, ETSI's National Standardisation Bodies give the final approval.

We provide a range of web-based approval mechanisms, to make this a highly pragmatic and visible process.

How are standards approved?

Different approval procedures are used depending upon the type of standard being created.

Technical Specifications (TS), Technical Reports (TR), Group Specifications (GS), Group Reports (GR) and Special Reports (SR)

After the Technical Committee or the Industry Specification Group has approved the draft, it submits it to the ETSI Secretariat which publishes the standard.

 

ETSI Guides (EG) and ETSI Standards (ES)

These documents are approved by the full ETSI membership, using the 'Membership Approval Procedure':

After the Technical Committee has approved the draft, the ETSI Secretariat makes the document available to the Members. Each ETSI full and associate member may vote as to whether the standard should be adopted. If the vote is successful the ETSI Secretariat publishes the standard; if not, it is referred to the committee.

 

European Standards (EN)

EN Approval Procedure – It comprises a Public Enquiry and a weighted national Vote performed in a single process:

After the Technical Committee has approved the draft, the ETSI Secretariat makes the document available to the National Standards Organizations (NSOs). The NSOs carry out the Public Enquiry. This involves consultation and submission of the national position (the weighted national ‘vote’) on the standard. If this vote is successful, and if no substantial comments are received as a result of this consultation, the ETSI Secretariat finalizes the draft and publishes the standard. Any technical comments received during Public Enquiry are considered by the Technical Committee, which may revise the draft and resubmit it to the Secretariat. If the changes are significant, the Secretariat may initiate another Public Enquiry; otherwise the draft will be presented directly to a second vote. After a successful vote, the Secretariat publishes the standard.

Voting

Votes are successful if at least 71% of the weighted votes cast are in favour of the draft. This applies to all types of documents, except for some Group Specifications. For European Standards the vote of each nation is weighted as agreed by the ETSI General Assembly. For other types of document, the vote of each ETSI member is weighted as agreed between the members.

European Standards (EN) and European standardisation deliverables

ETSI may elaborate European Standards and European standardisation deliverables in response to Standardisation Requests to support the European legislation or policies, in accordance with the amended Regulation (EU) No 1025/2012.

The above deliverables shall be adopted by the eligible members of the NSBG throughout the ETSI Standardisation Request deliverables Approval Process (SRdAP) and in accordance with the provisions of Article 21 of the Rules of Procedure, and those of Clause 2.2.2 of the Technical Working Procedures.

Where linked to legislation, the European Standards that have been elaborated, adopted and published by ETSI in response to SReqs shall be qualified as Harmonised Standards (hEN) when cited by the EC in the Official Journal of the European Union (OJEU).

Standardisation Request deliverables Approval Process (SRdAP) – ENs and European standardisation deliverables follow this procedure which comprises a Standardisation Request acceptance, a WISR adoption and, a Public Enquiry and a weighted national Vote performed in a single process:

Upon receipt of the official SReq, each NSBG member should be able to express the national position to accept or reject the SReq through a twenty-five (25) calendar days Weighted National Voting procedure organized by the Director-General. This voting procedure shall be ruled by the principles described in Article 21.5 of the Rules of Procedure. Upon receipt of the Work Item(s) identified in the Standardisation Request (WISR) and created by the responsible Technical Group, each member of the NSBG should be able to express the national position to adopt or reject the proposed WISR through a consultation organized by the Director-General, as specified in the Technical Working Procedures. After the Technical Committee has endorsed the draft, the ETSI Secretariat makes the document available to the National Standardisation Bodies (NSBs). The NSBs carry out the Public Enquiry. This involves consultation and submission of the national position (the weighted national ‘vote’) on the standard. If this vote is successful, and if no substantial comments are received as a result of this consultation, the ETSI Secretariat finalizes the draft and publishes the standard. Any technical comments received during Public Enquiry are considered by the Technical Committee, which may revise the draft and resubmit it to the Secretariat. If the changes are significant, the Secretariat may initiate another Public Enquiry; otherwise the draft will be presented directly to a second vote. After a successful vote, the Secretariat publishes the standard.

Publication

The approved standard is published by the ETSI Secretariat, our permanent staff based at our headquarters. The Secretariat works closely with those drafting the document and is responsible for ensuring that the relevant procedures have been followed. This helps to guarantee the high quality of the final document.

Maintenance

Maintenance is an important part of the standardization process. It is how ETSI adapts its standards to evolving technology and the developing needs of the market place.

Our standards are updated as required to take account of the latest developments and revised versions are published.

Full details of the approvals process are outlined in the ETSI Directives on the ETSI Member Portal, in particular the Technical Working Procedures.

Standardization principles

ETSI standards and technical specifications are developed through processes which fulfil the following criteria

OPENNESS

ETSI standards and technical specifications are developed on the basis of open decision-making accessible to all interested parties in the market or markets affected by those ETSI standards and technical specifications

CONSENSUS

The decision-making process is collaborative and consensus based and does not favour any particular stakeholder

TRANSPARENCY

All information concerning technical discussions and decision making is archived and identified Information on new standardization activities is publicly and widely announced through suitable and accessible means Participation of all relevant categories of interested parties is sought with a view to achieving balance Consideration and response are given to comments by interested parties

ETSI standards and technical specifications meet the following requirements

MAINTENANCE

Ongoing support and maintenance of published ETSI standards and technical specifications are guaranteed over a long period

AVAILABILITY

ETSI standards and technical specifications are publicly available for implementation and use on reasonable terms (including for a reasonable fee or free of charge)

POLICY

Intellectual Property Rights (IPR) technically essential to the implementation of the ETSI standards and technical specifications have to be declared in a timely manner and are licensed on (fair) reasonable and non-discriminatory terms ((F)RAND) which can be without monetary compensation

RELEVANCE

ETSI standards and technical specifications are effective and relevant

ETSI standards and technical specifications respond to market needs and/or regulatory requirements

NEUTRALITY and STABILITY

ETSI standards and technical specifications do not significantly limit the possibilities for implementers to develop competition and innovation based upon them

ETSI standards and technical specifications are based on advanced scientific and technological developments and demonstrate improvements

QUALITY

The quality and level of detail are sufficient to permit the development of a variety of competing implementations of interoperable products and services

Standardized interfaces are not hidden or controlled by anyone other than the organizations that adopted the ETSI standards and technical specifications

Standards, Specifications and Reports

ETSI is a key player on the international standards scene and publishes more than 2,500 standards every year. These include the standards that enable key global technologies such as GSM^TM, 3G, 4G, 5G, DECT^TM, and many more ICT standards success stories.

ETSI standards are available for download in PDF free of charge (the Word version is password protected and accessible for a specific target audience only).

ETSI produces specifications, standards, reports and guides, each with its own purpose.

European Standard (EN) – Used when the document is intended to meet needs specific to Europe and requires transposition into national standards, or when the drafting of the document is required under a standardization request from the European Commission (EC)/European Free Trade Association (EFTA). An EN is drafted by a Technical Committee and approved by ETSI's European National Standards Organizations. Harmonised Standards
Harmonised Standards are ENs with a special status. We produce them in response to an EC standardization request. They provide the technical detail necessary to achieve the ‘essential requirements’ of an EC Directive. They are thus key enablers of the European Single Market. We produced and continue to produce numerous Harmonised Standards in support of several EC mandates and policies. ETSI Standard (ES) – Used when the document contains technical requirements. An ES is submitted to the whole ETSI membership for approval. ETSI Guide (EG) – Used for guidance to ETSI in general on the handling of specific technical standardization activities. It is submitted to the whole ETSI membership for approval. ETSI Technical Specification (TS) – Used when the document contains technical requirements and it is important that it is available for use quickly. A TS is approved by the Technical Committee that drafted it. ETSI Technical Report (TR) – Used when the document contains explanatory material. A TR is approved by the Technical Committee that drafted it. ETSI Special Report (SR) – Used for various purposes, including to make information publicly available for reference. An SR is approved by the Technical Committee which produced it. ETSI Group Specification (GS) – Provides technical requirements or explanatory material or both. Produced and approved within our Industry Specification Groups (ISGs). ETSI Group Report (GR) – An ETSI deliverable, containing only informative elements, approved for publication by an Industry Specification Group. Publicly available specifications

Our Publicly Available Specifications (PAS) process enables an ETSI partner to submit one or more of its Publicly Available Specifications for adoption by ETSI. It will then become an ETSI Technical Specification (TS) or ETSI Technical Report (TR). For more information please read about PASs in our Partnerships section.

A standard is a document that provides rules or guidelines to achieve order in a given context.

ETSI’s rules for drafting standards amplify this a little: “a document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context”. (Derived from ISO/IEC Guide 2:1996, definition 3.2)

Standards have special significance in the domain of Information and Communication Technologies (ICT), which is ETSI's area of competence:

addressing needs for interconnection and interoperability which is particularly important for open markets, where mobile users can ‘mix and match’ equipment and services, and where suppliers can benefit from economies of scale important for ensuring safety, reliability and environmental care referenced by regulators and legislators for protecting user and business interests, and in support of government policies

Standards bring numerous benefits to business and society. ETSI is a recognized European Standardization Organization and it encourages global adoption of its standards where appropriate. Many ETSI standards are used worldwide.

Standards may be used on a voluntary basis, or made mandatory by company policy, national or international regulation, or by law.

In Europe there are three different categories of standard:

International standard – adopted by an international standardization organization European standard – adopted by a European standardization body National standard –  adopted by a national standardization body and made available to the public

Benefits of standards

We use standards every day, in all aspects of our daily lives – in communications, media, healthcare, food, transport, construction, furniture, energy…

Standards provide:

Safety and reliability– raising user confidence, increasing sales and the take-up of new technologies Support of government policies and legislation– Standards are frequently referenced by regulators and legislators for protecting user and business interests, and to support government policies, for example the European Union's policy for a Single Market Interoperability– the ability of devices working together Business benefits to: Open market access Provide economies of scale Encourage innovation Increase awareness of technical developments and initiatives Consumer choice - standards provide the foundation for new features and options, contributing to the enhancement of our daily lives. Mass production based on standards provides a greater variety of accessible products to consumers.

A good example of the power of standardization is the GSM^TM mobile communication technology and its successors (3G, 4G, 5G...), truly global phenomena, in which ETSI has and is still playing a leading role. Although GSM was originally envisaged as a solution just for Europe, these technologies have been deployed world-wide. As a result, travellers today can communicate and use familiar services in every corner of the world – all thanks to standardization.

ETSI can boast many other similar success stories including, for example, Smart Cards, DECT^TM, TETRA, Short Range Radio, medical implants, electronic signatures....

In a world without standards:

products might not work as expected or be of inferior quality products might be incompatible with other equipment or may not even connect with them non-standardized products may be dangerous customers would be restricted to one manufacturer or supplier manufacturers would be obliged to invent their own individual solutions with limited opportunity to compete with others

Standards for the Single Market

The creation of a European Single Market is a central policy of the European Union.

One of the key mechanisms to turn the political ambition into practical action is standardization. Standards, such as Harmonised Standards produced by ETSI, contribute to single market initiatives by proposing commonly-agreed technical solutions that lead to harmonization.

ETSI produces Harmonised Standards to support European Directives related to:

Radio and Telecommunications Terminal Equipment (R&TTE, being replaced by a Radio Equipment Directive) Electromagnetic Compatibility (EMC) access to emergency services 

We also contribute to safety standards produced in our sister European Standardization Organization, CENELEC.

All Member States of the European Union must allow a product to be placed on the market and used in their territories if it complies with the relevant Directives. Harmonised Standards enable manufacturers, suppliers, networks operators and others to prove their products’ compliance with the relevant Directives.

We also support the Single European Sky initiative by preparing Community Specifications for the civil aviation sector in co-operation with the European Organization for Civil Aviation Equipment, EUROCAE.

Interoperability & testing

In a world of converging yet diverse technologies, complex ICT systems must communicate and interwork on all levels – this is interoperability.

Interoperability means that users have a much greater choice of products and manufacturers can benefit from the economies of scale that a wider market brings.

Interoperability is therefore a crucial factor in the success of modern technologies, and market demand has ensured that interoperability holds a prominent position in standardization.

One of the key motives for the development of ICT standards is to facilitate interoperability between products in a multi-vendor, multi-network and multi-service environment.

Complex products and systems are often based on multiple standards from several standards-making organizations, including ETSI, or on requirements published by industrial fora. Collaboration between standards groups is therefore vital.

In addition, standards themselves need to be designed and tested to ensure that products and services complying with them do achieve interoperability.

Testing of products and systems to verify their interoperability is critical to their success – ideally this should take place throughout their development. Eliminating basic interoperability problems at an early stage helps reduce costs and to avoid dissatisfied customers.

A standardized approach to testing is essential if the results are to be trusted.