Responsible Disclosure

Whenever a customer, researcher or expert should identify one or more vulnerabilities in the following environments:

• TIM portals (i.e. www.tim.it, www.gruppotim.it, etc.)
• Mobile applications bearing the TIM logo and published on official stores (i.e. TIM Music, My TIM Fisso, TIM Telefono)
• Devices bearing the TIM logo (i.e. TIM Vision decoder,  ADSL modem-router, etc. except for cellular phones)
• Equipment pertaining to TIM’s fixed-line or mobile network (i.e. routers, load balancers, etc.)

he or she can send the information to TIM following the procedure laid out below.

Using the following procedure, whoever informs TIM of a system vulnerability is required to make a responsible disclosure so as not to expose other clients to unnecessary security risks.

The reporting person must avoid performing any activity that can either disrupt the impacted system or service or cause any data leakage/loss, limiting his/her use of the system/service to the minimum necessary and refraining from accessing data not strictly necessary to prove the existence of the vulnerability. Any activity on the impacted system/service must be carried out in full compliance with the provisions of the present policy. Moreover, the use of intensive or invasive scanning tools is not allowed.

Responsible disclosure implies that the reporting person has not spied on or disclosed any third-party data without their consent.

Specifically, whoever activates the procedure must:

Send the information via email to responsible-disclosure@telecomitalia.it with the following details:

• Personal data (name, surname and, if applicable, organization for which the person works)
• The type of vulnerability identified
• The service/device/application impacted by the flaw
• A detailed description of the problem encountered
• IP address from which the vulnerability was identified, together with the date and time of discovery
• A compressed archive (zip) with all the files which can help in reproducing the flaw (i.e. images, screenshots, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, …). The maximum dimension of the archive cannot exceed 10MB. If the archive is password protected please specify the password in the body of the mail.
• The consensus or not to sending your personal data to the producer, if available, of the technology involved for a possible direct contact between the parties.
• The consensus or not to being listed in the Hall of Fame section, together with an optional personal contact, if you want it to be mentioned alongside your Name and Surname.
• In activating the Responsible Disclosure procedure you may encrypt your mail using the following public key:
  PGP key: 0x68DEAD71
  Fingerprint: 0184D9E3E0CACB6F6E9A813BDE90CF9768DEAD71

Observe strict secrecy on all information pertaining to the vulnerabilities discovered, and therefore commit not to reveal any of these, entirely or partially, or in any form make them available to third parties for a period of not less than 90 days, allowing TIM the required time to identify and apply the necessary countermeasures. In especially complex cases, TIM reserves the right to extend this period, giving appropriate notice to whoever sent the information.

In the cases where the information regarding the vulnerabilities comes from a legal entity (public or private), corporation, consortium or other associative body, the sender must take the necessary steps to limit access to said information to those employees who require the use of the affected system for their work activities, enacting all suitable and appropriate measures to maintain confidentiality and abovementioned limits while accessing and using the information.

Once a notice has been received, TIM is committed to following up as follows:

1. Send an email to the reporting person/entity to acknowledge reception of the mail with the information outlined above. Within 10 days from this confirmation TIM will send a second email with an evaluation of the relevance of the vulnerability and the results of an initial analysis.
2. Adequately manage the vulnerability report so as to respect the timeline indicated previously and, in case of an eligible report on a vulnerability which is not already being handled, publicly thank the sender in the Hall of Fame section, if the necessary authorization accompanied the original mail.

TIM does not offer economic rewards; moreover, TIM reserves the right not to manage reports which do not respect the criteria indicated in this procedure.

TIM stresses the importance of assuming responsible behavior even after the release of any patch as the rollout process can be long and complicated. Therefore, we ask a careful evaluation of information released in this regard, with the objective of safeguarding user security.

Below you will find some examples of vulnerability categories which are considered eligible for publication in the Hall of Fame:

• Cross Site Scripting (XSS)
• Cross Site Request Forgery (CSRF)
• Injection (i.e. SQL injection, user input)
• Broken Authentication and Session Management
• Broken Access Control
• Security Misconfiguration
• Redirect / Man in the Middle attacks
• Remote code execution
• Underprotected API
• Privilege Escalation

On the other hand, the following situations are not covered by this Responsible Disclosure initiative and therefore are not eligible for the Hall of Fame:

• Situations which are not inherent to security aspects (i.e. unavailability of a service, bugs in a GUI, etc.) and therefore managed through traditional channels of customer care.
• Problems regarding phishing or spam and vulnerabilities inherent to social engineering techniques; these must be signaled either via email to abuse@telecomitalia.it or through the form available on
  https://www.gruppotim.it/en/footer/form-abuse.html
• Results of automatic tools for vulnerability assessment/penetration testing (i.e. Nessus, nmap, …).
• Reports on the use of weak configurations of the TLS protocol, or reports on non-compliance with best practices, such as, for example, the lack of security headers.

TIM reserves the right to update this Responsible Disclosure procedure at any time.

We would like to thank all persons who make a responsible disclosure to us and recognize their valuable contribution in increasing the security of our products and services.

2024

• Gaurang Maheta, linkedIn.com/in/gaurang883 | Security Misconfiguration
• Mipam Ludwig Uderzo, linkedin.com/in/mipam-ludwig-uderzo-49099820b/| Remote Code Execution e SQL Injection

2023

• Agrim Dua, www.linkedin.com/in/agrim-dua-960b00243 | Broken Authentication and Session Management
• Anthony Richa, FB.com/AnT00961 | Broken Authentication and Session Management
• Banavath Aravind, www.linkedin.com/in/aravindb26/ | Security Misconfiguration
• Clandestine, twitter.com/akaclandestine | Cross Site Scripting (XSS)
• Domenico Veneziano, linkedin.com/in/domenico-veneziano | Server-Side Request Forgery (SSRF)
• Gaetano Perrone, www.linkedin.com/in/gaetano-perrone-60520961/ | Multiple Security Misconfiguration
• Gaurang Maheta, Linkedin.com/in/gaurang883 | Security Misconfiguration
• Harsh Dinesh bhai maheta, www.linkedin.com/in/harsh-dineshbhai-maheta-348b551a2 | Outdated software
• Jay Mehta, twitter.com/MrHacke01443999| Security Misconfiguration
• Justin Patrick, www.linkedin.com/in/ciurdaspatrickjustin/ | Security Misconfiguration
• Mipam Ludwig Uderzo, www.linkedin.com/in/mipam-ludwig-uderzo-49099820b | Cross Site Scripting (XSS)
• Mohammadreza Sarayloo, www.linkedin.com/in/mohammadreza-sarayloo | Security Misconfiguration
• Muhammed Ashique, www.linkedin.com/in/ashq/ | Cross Site Scripting (XSS)
• Nilabh Rajpoot, linkedin.com/in/nilabh-rajpoot-6694131bb | Outdated software
• Rock Pratap Singh, www.linkedin.com/in/rock-pratap-singh-92a28928b | Security Misconfiguration
• Simone Quatrini, www.surecloud.com/resources/blog | Multiple Security Misconfiguration, Cross Site Scripting (XSS), Redirect
• tuo4n8,  vsrc.vng.com.vn | Outdated software
• Tushar Vaidya, www.linkedin.com/in/tushar-vaidya-2111s5 | Cross Site Scripting (XSS)
• Vu Van Tien, www.linkedin.com/in/n0-be3r | Security Misconfiguration

2022

• Abdelrahman Tarek, https://twitter.com/0xAT7 | Security Misconfiguration
• Andrea Santese, www.linkedin.com/in/medu554 | Security Misconfiguration, Cross Site Scripting (XSS)
• Anthony Richa, FB.com/AnT00961 | Broken Authentication and Session Management
• Donato Scaramuzzo, www.linkedin.com/in/donato-scaramuzzo-1911b83a | Cross Site Scripting (XSS)
• Ekin Şiar Bayer, twitter.com/EkinBayer4 | Outdated software
• Gaurang Maheta, www.linkedin.com/in/gaurang883 | Cross Site Scripting (XSS), Multiple Security Misconfigurations
• Giacomo Sighinolfi, www.linkedin.com/in/giacomo-sighinolfi-392146119 | Cross Site Scripting (XSS)         
• Ivo de Abreu Araújo, https://www.linkedin.com/in/ivoaabreu | Multiple Cross Site Scripting (XSS)
• Ken Kaneki, twitter.com/aoxsin | Security Misconfiguration
• Krishna Agarwal, www.linkedin.com/in/kr1shna4garwal | Redirect
• Lorenzo Toti, www.linkedin.com/in/lorenzo-toti-b0a939163 | Cross Site Scripting (XSS), Multiple Security Misconfigurations
• Michele  Carone, www.linkedin.com/in/michele-carone-750a5683 | Multiple Cross Site Scripting (XSS) 
• Mipam Ludwig Uderzo, www.linkedin.com/in/mipam-ludwig-uderzo-49099820b | Cross Site Scripting (XSS)
• Mohammadreza Sarayloo, www.linkedin.com/in/mohammadreza-sarayloo | Redirect, Security Misconfiguration
• Nguyen Anh Tuan, twitter.com/_nhiephon| Cross Site Scripting (XSS)
• Nicola Concas, www.linkedin.com/in/nicolaconcas | Security Misconfiguration
• Ramon Dunker, www.linkedin.com/in/ramondunker | Remote code execution
• Ritu raj Choudhary, www.linkedin.com/in/ritu-raj-choudhary-44202620b | HTML Code injections
• Roshan Zameer, www.linkedin.com/mwlite/in/roshan-zameer-97a8531b9 | Security Misconfiguration
• Savino Sisco, www.linkedin.com/in/savino-sisco | Multiple Outdated software, Security Misconfiguration
• Shreyas Ghevariya, www.linkedin.com/in/shreyas-ghevariya-752b96227/| Security Misconfiguration
• Shruti Kapoor, www.linkedin.com/in/shruti-kapoor-b9b0b617a | Security Misconfiguration
• Simone Paganessi, www.linkedin.com/in/simonepaganessi | Outdated software
• Simone Quatrini, www.surecloud.com/resources/blog | Security Misconfiguration
• Valerio Casalino, www.linkedin.com/in/valerio-casalino | Multiple Outdated software, Security Misconfiguration

2021

• Abhijith A, www.linkedin.com/in/abhijith-a-559b761aa | Clickjacking
• Andrea Cappa, twitter.com/zi0Black |  HTML Code Injection
• Anthony Richa, FB.com/AnT00961 | Broken Authentication and Session Management
  
• Antonio Rocco Spataro, it.linkedin.com/in/antonio-rocco-spataro-9007a6175 |Security Misconfiguration
  
• Dan Fabro, https://dnx.zone | XSS vulnerability
  
• Donato Di Pasquale, www.linkedin.com/in/ddipa/ | Redirect, Security Misconfiguration
• Enes Saltik, twitter.com/EnesSaltk7 | Cross Site Scripting (XSS)
• Francesco Ferreri, twitter.com/@MindOverflow42 | HTML Code Injection
• Gaurang Maheta, www.linkedin.com/in/gaurang883 | Security Misconfiguration, Outdated software
  
• George Crook, www.linkedin.com/in/georgecrook | Clickjacking, Multiple Security Misconfigurations
  
• Joaquín López-Cortijo Guijarro, j.lopez@hounder.io | Cross Site Scripting (XSS)
  
• Krishna Kaiwartya, www.linkedin.com/in/krishna-kaiwartya-a170a21ba | Security Misconfiguration
  
• Lavan Kumar, www.linkedin.com/in/lavan-kumar-71001a74 | Redirect
  
• Marco Ilardi, twitter.com/ila_marco_ | HTML Code Injection
• Mipam Ludwig Uderzo, linkedin.com/in/mipam-ludwig-uderzo-49099820b |Cross Site Scripting (XSS)
  
• Mirko Caruso, www.linkedin.com/in/mirko-caruso | Security Misconfiguration
• Nguyen Anh Tuan, twitter.com/_nhiephon | Redirect, XSS vulnerability, Multiple Remote code execution
• Patrizio Tufarolo, www.linkedin.com/in/patriziotufarolo | Security Misconfiguration
  
• Prince Prafull, www.linkedin.com/in/prince-prafull-19a477194 | Security Misconfiguration
  
• Ridoy Khan | Security Misconfiguration
• Sanket Ambalkar, www.linkedin.com/in/sanket-ambalkar-70211518b/ | Security Misconfiguration
  
• Shay Ben Tikva | Cross Site Scripting (XSS)
• Sheikh Rishad, twitter.com/sheikhrishad0 | Security Misconfiguration
• Simone Quatrini | Broken Authentication and Session Management
• Taha Bıyıklı, linkedin.com/in/tahabykl | HTML Code injections
  
• Vijay Sutar, twitter.com/VijaySu25711066 | Security Misconfiguration
  

2020

• Alessandro Braccio | Broken Access Control
• Alessio Della Libera, www.linkedin.com/in/alessiodellalibera | XSS vulnerability
• Andrei Manole, www.linkedin.com/in/iulian-manole | Security Misconfiguration
• Antonio Cannito, https://antoniocannito.it | Broken Authentication and Session Management
  
• BabaBounty, https://www.linkedin.com/in/rohan-chaudhari-53aa51174 | XSS vulnerability
• Emad Youssef, twitter.com/Sy3Omda|Security Misconfiguration
• Fabio Mariani, www.linkedin.com/in/fabio-mariani-ab49641a4/ | XSS vulnerability
• Felipe Renzi, twitter.com/Renzi25031469 | Security Misconfiguration
  
• Filippo Sorbellini, sorby.me | Broken Access Control
  
• Flavio Baldassi, www.linkedin.com/in/flavio-baldassi | Security Misconfiguration
• Florian Kunushevci, www.linkedin.com/in/floriankunushevci | XSS vulnerability
• Gourab Sadhukhan, www.linkedin.com/in/gourab-sadhukhan-71158216a | Security Misconfiguration
• Ismail Tasdelen, www.linkedin.com/in/ismailtasdelen | Security Misconfiguration
• Lütfü Mert Ceylan, https://lutfumertceylan.com.tr | XSS vulnerability
• Marco Nappi, www.linkedin.com/in/marco-nappi-a58224157 |  XSS vulnerability
• Mauro Piva, www.linkedin.com/in/pivamauro | Underprotected API
• Mehmet Can GÜNEŞ, twitter.com/mehmetcangunes | Security Misconfiguration
• Mohd Asif Khan, www.linkedin.com/in/mohd-asif-khan-%E2%9C%AA-5228a9179/ | Security Misconfiguration
• Muhammad Hassam, www.linkedin.com/in/muhammad-hassam-arif-19b790163 | Security Misconfiguration
• Nirjhar Banik, www.linkedin.com/in/neerjhar/ | Security Misconfiguration
• Pierpaolo Palmisano, https://it.linkedin.com/in/pierpaolo-palmisano-27ab0b8b | Broken Access Control
• Pratik Khalane, www.linkedin.com/in/pratik-khalane | Security Misconfiguration
• Pritam Mukherjee, www.linkedin.com/in/pritam-mukherjee-urvil-b75ab9b9 | Clickjacking
• Reando Veshi, www.linkedin.com/in/reajpr/ | Broken Access Control, Multiple Security Misconfigurations
• Robert Aaron, www.linkedin.com/in/robert-aaron-14735b188 | Security Misconfiguration
• Siddharth Bose, www.linkedin.com/in/siddharth-bose-406180191 | Security Misconfiguration
• Simone Quatrini | Multiple Security Misconfigurations
  
• Souvik Mondal, www.linkedin.com/in/souvik-mondal-8b3a0a1b3/ | Multiple Security Misconfigurations, Clickjacking
  
• Umesh Prakash Jore, www.linkedin.com/in/umesh-prakash-j-55015194 | Security Misconfiguration
  
• Vaibhav Atkale, www.linkedin.com/in/vaibhav-atkale-b844b8169 | Multiple Security Misconfigurations
• Valerio Alessandroni, www.linkedin.com/in/valerio-alessandroni | Security Misconfiguration

2019

• Alessandro Groppo, it.linkedin.com/in/alessandro-groppo-1a0429146 | Underprotected API
• Andrea Bocchetti, https://www.linkedin.com/in/andreabocchetti | Security Misconfiguration
  
• Andrea Guglielmini, www.linkedin.com/in/andrea-g-563626112 | XSS vulnerability
• Andrei Conache, http://linkedin.com/in/andrei-conache | Multiple XSS vulnerabilities
• Andrei Manole, www.linkedin.com/in/andrei-manole-81626090 | SQL injection
• Antonio Arlia Ciombo, www.linkedin.com/in/antonio-arlia-ciombo-122191121| XSS vulnerability
• Antonio Blescia, www.linkedin.com/in/antonio-blescia | CSRF
• Cristian Giustini, https://twitter.com/voidz0r | Security Misconfiguration, XSS vulnerability, SQL injection
• Emad Youssef, twitter.com/Sy3Omda | Redirect, Cross Site Scripting (XSS)
• Ennio Campagna, www.linkedin.com/in/ennio-campagna-720835145 | XSS vulnerability
• Filippo Sorbellini, sorby.me | Broken Authentication and Session Management
• Flavio Baldassi, www.linkedin.com/in/flavio-baldassi | Multiple Security Misconfigurations
• Francesco Lacerenza, linkedin.com/in/francesco-lacerenza | Security Misconfiguration
• Giantonio Chiarelli, www.linkedin.com/in/giantoniochiarelli/?originalSubdomain=it |  XSS vulnerability
• Kasper Karlsson | XSS vulnerability
• Lorenzo Comi, www.linkedin.com/in/lorenzo-comi-53b94789 | XSS vulnerability
• Marco Nappi, www.linkedin.com/in/marco-nappi-a58224157| Multiple XSS vulnerabilities
• Mario Alviano, alviano.com | Broken Authentication and Session Management, Underprotected API
• Michele Romano, https://hackerone.com/mik317 | XSS vulnerability
• Pethuraj M, https://www.pethuraj.in | Security Misconfiguration
  
• Pierpaolo Palmisano, it.linkedin.com/in/pierpaolo-palmisano-27ab0b8b | Broken Access Control | XSS vulnerability
• Rahad Chowdhury, www.linkedin.com/in/rahadchowdhury | Multiple Security Misconfigurations
• Rupesh Kokare, www.linkedin.com/in/rupesh-kokare-b63a78145 | Redirect
• Simone Quatrini | Multiple Security Misconfiguration
• Tushar Shinde, www.linkedin.com/in/tushar-shinde-589503112 | Security Misconfiguration
• Vishal Bharad, https://twitter.com/i_am_vishh?s=09 | Security Misconfiguration

2018

• Abdel Adim Oisfi, twitter.com/smaury92 | XSS vulnerability
• Akash Labade, www.linkedin.com/in/m0ns7er | CSRF, XSS vulnerability
• Akash Upadhyay, www.linkedin.com/in/akash-upadhayay | Multiple Redirects
• Alessandro Groppo, it.linkedin.com/in/alessandro-groppo-1a0429146 | Security Misconfiguration
• Alessandro Moccia, www.linkedin.com/in/mocciaalessandro | XSS vulnerability
• Alessio Santoru, www.linkedin.com/in/alessiosantoru | XSS vulnerability
• Alfie Njeru, twitter.com/emenalf | Multiple Security Misconfigurations
• Andrea Bocchetti, www.linkedin.com/in/andreabocchetti | Multiple XSS vulnerabilities, Redirect
• Andrea Draghetti, www.andreadraghetti.it | Security Misconfiguration
• Andrea Guglielmini, www.linkedin.com/in/andrea-g-563626112 | Underprotected API
• Andrei Conache, twitter.com/andrei_conache | Multiple XSS vulnerabilities
• Andrei Manole, www.linkedin.com/in/andrei-manole-81626090 | XSS vulnerability
• Angelo Anatrella, angelo.anatrella@gmail.com | XSS vulnerability, Security Misconfiguration
• Antonio Cannito, https://antoniocannito.it | Multiple Security Misconfigurations, CSRF, Multiple XSS vulnerabilities, Broken Authentication and Session Management, SQL injection
• Bill Ben Haim, www.linkedin.com/in/vill-ben-haim-b6775a48 | XSS vulnerability, Redirect
• Carlo Pelliccioni, twitter.com/cpelliccioni | Multiple XSS vulnerabilities, Redirect
• Cristiano Maruti, www.linkedin.com/in/cmaruti | Broken Access Control, XSS vulnerability
• Davide Del Vecchio, www.davidedelvecchio.com | XSS vulnerability, Security Misconfiguration
• Domenico Curigliano, www.linkedin.com/in/domenico-matis-curigliano | Multiple Remote code executions, Multiple XSS vulnerabilities, Redirect
• Donato Scaramuzzo, www.linkedin.com/in/donato-scaramuzzo-1911b83a | Broken Authentication and Session Management
• Emanuele Gentili, twitter.com/emgent | HTML Code injections, XSS vulnerability, Redirect, Security Misconfiguration
• Ezio Paglia, www.linkedin.com/in/ezio-paglia-3704196 | Multiple Security Misconfigurations, Multiple XSS vulnerabilities
• Fabio Pietrosanti, twitter.com/fpietrosanti | Security Misconfiguration
• Federico Camponogara, www.linkedin.com/in/federico-shellock-ab616a30| Redirect, Broken Access Control, Security Misconfiguration
• Federico Valentini, twitter.com/f3d_0x0 | SQL injection
• Federico Zambito, www.linkedin.com/in/federico-zambito-2b967571 | Redirect
• Frank Vickers, www.linkedin.com/in/frank-vickers-199109a | Multiple Security Misconfigurations
• Giovanni Guido, twitter.com/cafebab3 | XSS vulnerability
• Giulio Comi, linkedin.com/in/giuliocomi | Remote code execution
• Ismail Tasdelen, www.linkedin.com/in/ismailtasdelen | Multiple Security Misconfigurations
• Jacopo Jannone, www.jacopojannone.com | XSS vulnerability
• Jose Carlos Exposito Bueno | Multiple XSS vulnerabilities, SQL injection
• Kasper Karlsson | XSS vulnerability
• Lorenzo Comi, www.linkedin.com/in/lorenzo-comi-53b94789 | SQL Injection, Broken Authentication and Session Management
• Lorenzo Stella, www.linkedin.com/in/stellalorenzo | Security Misconfiguration, Underprotected API
• Luca Capacci, www.linkedin.com/in/lucacapacci | Redirect
• Luigi Gubello, www.gubello.me | Multiple XSS vulnerabilities
• Marco Nappi, www.linkedin.com/in/marco-nappi-a58224157/ | Multiple XSS vulnerabilities
• Matteo Neri, twitter.com/nmatte90 |SQL injection
• Mattia Reggiani, twitter.com/mattia_reggiani | XSS vulnerability
• Mert Can Esen, www.linkedin.com/in/mertcanesen | XSS vulnerability
• Michele Toccagni, hacktips.it | SQL injection, XSS vulnerability, Multiple Security Misconfigurations
• Mohamed Ouad, www.linkedin.com/in/ouadmoha | Broken Authentication and Session Management, Underprotected API
• Paolo Giai | keybase.io/polict | XSS vulnerability
• Paolo Montesel, twitter.com/pmontesel | Underprotected API
• Paolo Stagno, voidsec.com | XSS vulnerability, Redirect
• Pasquale Fiorillo, www.pasqualefiorillo.it | XSS vulnerability, Multiple SQL injections
• Raffaele Forte, backbox.org | Remote Code Execution
• Raffaele Sabato, syrion.me | Multiple Security Misconfigurations
• Shubham Pathak, twitter.com/ShubhamPthk | Multiple Security Misconfigurations
• Simone Cardona, www.linkedin.com/in/simone-cardona | Multiple XSS vulnerabilities, Redirect, Security, Misconfiguration
• Simone Onofri, it.linkedin.com/in/simoneonofri | XSS vulnerability, Redirect
• Simone Quatrini | Security Misconfiguration, XSS vulnerability
• Valerio Mancini, www.linkedin.com/in/valerio-mancini-2520a067 | Remote code execution
• Vincenzo Chieppa, twitter.com/Procode701 | XSS vulnerability, SQL injection
• Vishal Jain, linkedin.com/in/vishaljain113 | Security Misconfiguration