Vulnerability Disclosure Policy (VDP)

We as Telecom Services SA value the important role of independent security researchers who act ethically in order to safeguard the security of our own data and that of members of the public and our customers as well as the reliability of our products and services. We therefore welcome all responsible disclosures of vulnerabilities in the digital assets that we own, operate and maintain.

This policy describes the steps for disclosing vulnerabilities. Please read through the policy carefully before testing our systems for security gaps. We strive to collaborate actively with security researchers to review and remove the disclosed vulnerabilities.

Scope

All publicly accessible digital assets owned, operated, or managed by Telecom Services SA.

Here is a list of assets owned by Telecom Services SA:

  • 185.54.4.120/30
  • 185.54.4.121/30
  • 185.54.4.122/30
  • 185.54.4.123/30
  • 185.54.4.124/30
  • 185.54.4.125/30
  • 185.54.4.128/27
  • 185.54.6.0/27
  • *.telecomservices.ch
  • admingibloux.3cx.ch
  • valrando.3cx.ch
  • affidea.3cx.ch
  • oasys.3cx.ch
  • cosahl.3cx.ch
  • tsab.3cx.ch
  • market.louis.swiss
  • christan.3cx.ch
  • tslab.3cx.ch

Out of scope

Please note that

  • we draw on the services of other companies and/or organisations for some parts of our systems and infrastructure.
  • there are some systems in our infrastructure that are not directly under our control.

Vulnerabilities discovered or suspected in these systems must be disclosed to the corresponding provider or responsible authority. Should they nevertheless be reported via this channel, we will forward the vulnerability to the relevant organisation. However, the owner of the IT system affected will remain responsible for the system and for any rectification measures.

Our commitment

When collaborating with us within the framework of this policy, you can expect the following from us:

  • Prompt response confirming receipt of the vulnerability disclosure
  • Proactive collaboration enabling the disclosure to be understood and validated
  • Open dialogue to discuss any problems or challenges
  • Notification once the vulnerability is removed
  • Provision of a legal safe harbour through this policy in order to facilitate the proactive discovery of vulnerabilities

Our expectations

When participating in our Vulnerability Disclosure Program, we expect from you:

  • Compliance with the rules and instructions described in this policy
  • That you do not violate any prevailing laws through collaboration and any disclosures resulting from this.
  • Immediate disclosure to us each vulnerability discovered
  • That you do not exploit or otherwise make use of the vulnerabilities discovered except for the purpose of disclosure to us
  • That you respect the privacy of others, do not disrupt our systems, do not destroy data and do not infringe upon other users of the system
  • That you only use the official disclosure channels to discuss information regarding vulnerabilities with us
  • That you uphold the confidentiality of details about discovered vulnerabilities in accordance with this policy
  • If a vulnerability facilitates unintended access to data, that you limit access to the absolute minimum necessary for demonstrating the vulnerability, discontinue testing and immediately submit a disclosure to us
  • That you only interact with test accounts that belong to you or for which you have the explicit consent of the account holder
  • That you do not assert any claims with the disclosure
  • That you grant us a reasonable period (100 days from initial disclosure) to rectify the problem
  • That you coordinate with us any publication of vulnerabilities

Telecom Services SA does not permit any of the following types of security test

While we encourage you to disclose to us all vulnerabilities you discover, the following activities are strictly prohibited within the framework of this policy:

  • Activities that could negatively affect our systems or customers (e.g. phishing, spam, brute force attacks, denial-of-service etc.)
  • Destruction, damage or alteration of data or information not belonging to you, or an attempt at this
  • Physical or other attacks on our staff, property, buildings or infrastructure
  • Social engineering towards our staff, customers or contractors

Coordinated vulnerability disclosure (CVD)

We value the efforts of external security researchers who identify and responsibly disclose security gaps so they can be removed. Our policy permits publication as long as the following conditions are met (coordinated vulnerability disclosure):

  • The notifying person may not publish the vulnerability before we have confirmed that it is removed, and disclosure has been accepted by us.
  • A publication is accepted after 100 days as long as it has been coordinated with us.
  • No precise details of the problem may be published such as exploits or proof-of-concept code.
  • No mention of us or our partners

Official channels

Please report vulnerabilities via security@telecomservices.ch and provide all relevant information. Please do not submit any reports from automated tools without checking them. The more of the following details you provide, the easier it will be for us to analyse and remove the problem and reward you for your efforts:

  • Technical description of the vulnerability including:
  • Information about browser used (type and version)
  • Relevant information about connected components and devices
  • Platform(s) and URL(s) affected
  • Sample code to demonstrate the vulnerability and/or detailed instructions for reproduction
  • Threat/risk assessment
  • Date and time of discovery
  • Contact details
  • Any plans for publication if aspired

Please note that these channels may only be used to report non-disclosed vulnerabilities and not for other support or information requests. Requests not concerning undisclosed vulnerabilities will not be answered.

Legal safe harbour

  • We will not take any civil action or file charges with prosecuting authorities against participants of this program due to unintended violations of this policy as long as these took place in good faith.
  • We interpret activities of participants in line with this policy not to constitute unauthorized access pursuant to the Swiss Criminal Code. This includes Articles 143, 143bis and 144bis of the Swiss Criminal Code.
  • We will not file charges against participants who attempt to circumvent security measures in force in order to protect the services specified in this policy.
  • Should legal action be initiated against a participant by a third party and such participant have acted in accordance with this policy, we will take the necessary steps to make the authorities aware that the actions of said participant took place in compliance with this policy.
  • A warning may be issued in the event of minor infringements. In the event of serious breaches, we reserve the right file criminal charges.

You are obliged to comply with all prevailing laws at all times. Should you at any time have doubts or be unsure as to whether your tests and activities are in compliance with this policy, please contact us via one of our official channels before continuing your activities.

Please note that the legal safe harbour only applies to legal claims within the control of Telecom Services SA and that the policy is not binding on independent third parties.

This policy is governed by Swiss law. The sole place of jurisdiction for all disputes arising out of or in connection with this policy is 1752 Villars-sur-Glâne, Fribourg, Switzerland. Mandatory places of jurisdiction remain reserved.