1. Home
    Item seperator
  3. Item seperator
    Coordinated Vulnerability Disclosure (CVD) Program

Coordinated Vulnerability Disclosure (CVD) Program

Security is a core principle at Nokia. We welcome and encourage responsible disclosure of potential security vulnerabilities in Nokia products and Nokia-hosted services through our Coordinated Vulnerability Disclosure (CVD) program.

CVD outlines how to report a vulnerability and what to expect during the handling process.

This page is intended for security researchers, who are not directly affiliated with Nokia customers. For our customers, we recommend using the official contact point in your customer team.

How to report a vulnerability

Nokia accepts vulnerability reports, including anonymous submissions.

To report a potential security issue in a Nokia product or Nokia-hosted service please contact: security-alert@nokia.com

If necessary, you may protect sensitive information by encrypting it with our public PGP key, fingerprint is: B88A5B043A75E913D601F23ACBDD1EFF75E14178

We also publish an RFC 9116-compliant security.txt file, at https://www.nokia.com/.well-known/security.txt

What to include in your report

Providing clear and complete information helps us triage and resolve issues efficiently. Where applicable. Please include:

  • Product name and version
    • Exact product name, edition, and version (hardware and software).
  • Steps to reproduce
    • Clear, repeatable instruction.
    • Include proof-of-concept (PoC) or exploit code if available.
  • Observed vs. expected behaviour
    • Describe what you expected to happen, and what actually occurred.
  • Impact assessment
    • Potential impact if the vulnerability were exploited (e.g., data exposure, privilege escalation).
    • CVSS vector is preferred if you can provide one.

Please note: Reports consisting solely of automated scanner outputs or generic notifications referencing known CVE without reproduction steps are not within the scope of CVD program.

Vulnerability handling process

We follow a structured internal CVD process. Once we receive your report, we will:

  • Acknowledge receipt of reports
  • Maintain communication throughout the investigation
  • Determine resolution timelines based on the severity and complexity

CVE assignment and disclosure

As a CVE Numbering Authority (CNA), we may assign CVE IDs for confirmed vulnerabilities that:

  • Affect actively supported Nokia products, and
  • Originate from Nokia proprietary code
     

We do not assign CVE IDs for the vulnerabilities that:

  • Occur in third-party components or products
  • Affect only End-of-Life (EOL) products
  • Affect Internal corporate infrastructure or services not to Nokia products
  • Already have public patches are publicly available
  • Do not present a generic customer impact

If a CVE ID is assigned, we will publish a Security Advisory on our official disclosure page, following a mutually agreed public disclosure date.

Acknowledgement

With the reporter’s consent, we may recognize validated contributions in our Hall of Fame and in the Acknowledgements section of the relevant Security Advisory.


Additional Information

Nokia does not currently offer a bug bounty program.

For questions or additional guidance, please contact security-alert@nokia.com

On this page