Service annoucement

P1 Security’s Responsible Vulnerability Disclosure Policy

Explore how P1 Security discloses telecom vulnerabilities via a structured 180-day process, CVE coordination, and its private VKB platform to help protect operators and critical infrastructure.

Service annoucement

Jul 23, 2025

How P1 Security Handles Responsible Vulnerability Disclosure

The telecommunications industry is a high-value target for sophisticated cyberattacks. Yet, despite the growing threat landscape, the pace of vulnerability remediation by vendors remains far too slow. At P1 Security, we believe that improving security maturity across the telecom ecosystem starts with proactive, responsible, and transparent vulnerability disclosure.

The Mission Behind Our Disclosure Policy

P1 Security is committed to reducing the attack surface of global telecom infrastructure. Our disclosure policy stems from three core pillars:

Security Research: We conduct in-depth vulnerability research, red teaming, and penetration testing on telecom systems, technologies, and network components.
Vulnerability Discovery: We actively identify security flaws across both proprietary telecom products and embedded third-party components.
Advocacy for Transparency: We push for timely and public-facing disclosure practices that benefit operators, infrastructure providers, and end-users alike.

The Responsible Disclosure Process at P1 Security

We follow a well-defined and rigorous process to manage vulnerability discovery and disclosure:

1- Vulnerability Discovery Our research teams uncover flaws through independent security assessments, client audits, and ongoing red teaming campaigns.

2- Client Notification If the vulnerability is discovered during an audit or engagement, the affected client is immediately notified.

3- Vendor Notification We engage the vendor directly—typically via their Product Security Incident Response Team (PSIRT)—to initiate responsible disclosure.

4- Responsible Disclosure Period: 180 Days We grant vendors a 180-day window to address the vulnerability. This is double the standard timeframe used in many industries, reflecting the complex patching lifecycle of telecom systems.

5- CVE Assignment and Coordination Vendors are expected to assign a CVE and inform us of the bulletin publication timeline. If a vendor refuses to issue a CVE or fails to provide a fix within the 180-day window. P1 Security will proceed with documentation and potential publication in the Private Vulnerability Knowledge Base as outlined in Section 6.

6- Publishing in the Vulnerability Knowledge Base (VKB)All confirmed vulnerabilities are documented in our private VKB platform. This includes:Clients with access to the VKB are notified immediately and can verify their exposure and engage their vendors as needed.

A technical breakdown of the vulnerability
List of affected products
Impact assessment
Any available workarounds or mitigation steps

Disclosure of Vulnerabilities in Third-Party Components

We also handle vulnerabilities in third-party libraries and embedded systems, often overlooked by vendors:

We assess the security implications of known CVEs on various telecom products (e.g., CVE-2025-32433).
Our analysis is published in the VKB.
Clients are notified with product-specific insights.
Operators are encouraged to contact their vendors directly to confirm exposure and remediation paths.

Challenges in the Telecom Vulnerability Ecosystem

Despite our structured approach, several industry-wide challenges remain:

Insufficient Vendor Response: Many telecom vendors fail to issue CVEs or publish timely security bulletins, even after acknowledging a vulnerability.
Operator Blind Spots: Operators are often left uninformed about publicly known flaws affecting their infrastructure.
Delayed Remediation: Fixes for critical vulnerabilities may take over a year to reach operators.
Opaque Handling of Third-Party Issues: Some vendors do not publicly acknowledge vulnerabilities in embedded third-party libraries, exposing clients to hidden risks.

Conclusion: A Call for Industry-Wide Maturity

Telecom operators, vendors, and security researchers must work together to accelerate the remediation of security flaws. Greater transparency, shorter patch timelines, and a shared responsibility model are essential to building trust and resilience across the telecom ecosystem.

At P1 Security, we remain committed to pushing the industry forward—through research, responsible disclosure, and transparent communication via our VKB platform.