Skip navigation

Enterprise IT vulnerability disclosure program

Ericsson is committed to high security standards and encourages the reporting of any security vulnerabilities. It is vital that we are notified as early as possible to prevent potential damage. Thank you!

Acknowledgement of reported vulnerabilities 

Individuals who report vulnerabilities may be recognized in accordance with the below. Reporting is done via the Vulnerability disclosure form.

We're looking for any exploitable vulnerability which directly impact confidentiality, integrity, and availability (CIA) on the domains:

  • *.ericsson.com
  • *.ericsson.net 

Examples of vulnerabilities that can be acknowledged on our website

  • Bypassing our API's security 
  • Cross-site scripting (XSS) 
  • Server-side code execution 
  • Authentication and authorization flaws 
  • Server-side request forgery (SSRF) 
  • Sensitive data exposure 
  • Access Ericson’s internal administrative control systems. 
  • Remote Code Execution. 

Examples of vulnerabilities that will not be acknowledged by us: 

  • Any IT Asset not owned and managed by Ericsson. 
  • Non-security related bugs. 
  • DOS / brute-force attacks. 
  • Mixed-content scripts. 
  • Social engineering page. 
  • Theoretical vulnerabilities. 
  • Certificate related findings. 
  • Standard user enumeration attacks. 
  • SaaS Solution provider to Ericsson. 
  • Any other activity that could disrupt, damage, or harm our users or services. 
  • Failures to adhere to "best practices" (for example, common HTTP headers, link expiration, email-validation, or password policy). 

We encourage you to report any vulnerabilities related to for example SaaS solutions directly to the provider.