Responsible Disclosure

Safety first

Fastweb considers data protection and the protection of its customers a priority and therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products to send an alert.

Our commitment

Fastweb considers data protection and the protection of its customers a priority and therefore adopts a safe development process for its systems, services and products at every phase, from design to release.

Despite this, occasionally, some vulnerabilities are not detected and / or occur once the product, application or service is released to the public. That is why, to further improve its levels of security and reliability, Fastweb has published this Responsible Disclosure procedure. Its aim is to involve researchers and more generally, cyber security enthusiasts to help the company to make its systems even safer and more reliable responsibly managing security vulnerabilities, in a mutual commitment to protect the security and privacy of its customers.

Fastweb therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products, such as

Fastweb portals, “.fastweb.it”, domains (except www.gestione-documenti.fastweb.it and www.i-miei-documenti.fastweb.it);
Fastweb branded devices (e.g. ADSL modem-routers with the exception of mobile phones);
Fastweb branded mobile applications published on official stores (e.g. MyFastweb, FASTcloud Drive, Fastmail, etc.);

to subscribe to the portal at this link and

Submit a report, agreeing to follow the responsible disclosure policy described below.
The report entered on the portal following the instructions given in the new report entry form, should contain the main information useful to allow us to identify and reproduce the vulnerability that you intend to report.

Keep discovered vulnerabilities strictly confidential and secret, undertaking not to disclose them or make them available to third parties until Fastweb communicates that it has applied the appropriate countermeasures, and in any case after sharing with us the contents that you intend to disclose, as mutual protection to avoid the unintentional disclosure of business information not related to the vulnerability and which must remain confidential.

Work with the Fastweb Security team and work groups involved.

Make every effort to avoid breaches of privacy, deterioration or suspension of services and destruction of data. In this regard, it is expressly forbidden to:

Access, modify or download data from an account for which you do not have rights; Implement actions similar to "Denial of Service" attacks or capable of damaging the functioning of any Fastweb asset or resource; Upload, link, run or send malicious code using Fastweb systems; Carry out tests the effect of which is to send unwanted messages, spam or other forms of unauthorised messages;

Once the report is received, Fastweb undertakes:

Not to take legal action against anyone who discovers and reports security breaches in compliance with this Responsible Disclosure policy. Any request for compensation (in cash or otherwise) for identified or suspected vulnerabilities will be deemed not to comply with this Responsible Disclosure policy.

Send an online feedback within 20 days, to provide information on the relevance of the report for the Responsible Disclosure process and on the outcome of the preliminary analysis carried out by Fastweb.

Publish the name of the reporter and/or the contact details provided in the Hall of Fame section, if the finding is positive and the reporter has requested it. It is understood, as defined above, that Fastweb considers the period of confidentiality of the information until the vulnerability is closed and the subsequent information is provided to the reporter.

Reports relating to the following cases are excluded from this Responsible Disclosure procedure and will therefore be rejected:

Results of automatic vulnerability assessment/penetration testing/Information Gathering tools (e.g. SQLmap, Owasp ZAP, nmap, etc.); Results of physical tests on networks (e.g. open door, tailgating); Results of Denial of Service attacks (DoS, DDoS), for which Fastweb reserves the right to take appropriate measures; All reports not related to the Responsible Disclosure process. Such reports will not be taken into account and no feedback will be provided. For phishing and/or spam problems we suggest to contact the mailbox abuse@fastweb.it, while for privacy problems we suggest to contact the mailbox privacy@fastweb.it; Findings on domains not directly managed by Fastweb or in any case not part of the above mentioned perimeter to which the program applies; Assessment results conducted through specialized sites (e.g. ssllabs.com, securityheaders.io, urlscan.io); Bugs relating to the User Interface or User Experience that do not constitute a security flaw (e.g. typing errors, in the page format) for which reference is made to the institutional channels of Customer Care (Call Center 192193, Private Message Facebook); Other reports related to low-impact vulnerabilities, such as clickjacking, weak captcha, lack of cookie flags (e.g. secure, HTTPOnly), lack of HTTP security headers;

Fastweb also does not plan to provide users participating in the program with resources such as accounts or dedicated test environments.

Fastweb reserves the right to update the Responsible Disclosure procedure described above at any time.

Hall of Fame

Fastweb thanks all those who have responsibly contributed to improving the security of its systems, services and products, demonstrating their excellent technical skills in the field of computer security!

2018

Raffaele Sabato

Ezio Paglia

Angelo Anatrella

Lorenzo Stella

2019

Francesco Iubatti

Andrei Manole

Federico Zambito

Simone Quatrini

Antonio Cannito

Michele Toccagni

Alessandro Sacco

Emanuele Gentili

Francesco Giordano

Alessandro Groppo

Alexander Bekk

Serge Lacroute

Ennio Campagna

Marco Nappi

Alessandro Moccia

Aaditya Kumar Sharma

Vincenzo Vetturelli

Riccardo Gasparini

Paolo Stagno

Hatim Chabik

Roman Paci

Aditya Shende

Abdul Ghaffar Afzal

Angelo Anatrella

Giantonio Chiarelli

Andrea Togni

Giorgio Di Grazia

Rutik Sangle

Pethuraj M

Yogeshwaran Chandrasekaran

2020

Abdel Adim Oisfi

Vivek Panday

Alessio Della Libera

Asim Sattar

Rahad Chowdhury

Alessandro Strino

Simone Quatrini

Antonio Arlia Ciombo

Roman Paci

Fabio Mariani

Marco Mezzaro

Luca Di Domenico

Shivprasad Sambhare

Harshal S. Sharma

Cesare Pizzi

Jawad Mahdi

Andrea Falso

2021

Chan Nyein Wai

Simone Quatrini

Giovanni Fazi

Richie from ZYB

Donato Di Pasquale

Michele Corrias

Paolo Carretto

Andrea Baesso

Pasquale Fiorillo

Donato Scaramuzzo

Jacopo Cavallo

Christian Danieli

Valerio Casalino

2022

Donato Scaramuzzo

Andrei Manole

Simone Paganessi

Simone Quatrini

Valerio Severini

Reando Veshi

Antonio Cannito

Abhith Damodaran

Alessandro Casale

Felipe Renzi

Nicola Concas

2023

Nguyen Phu Hung

Simone Quatrini

Hasan Sheet

Qais Qais

Patrick Justin Ciurdas

Daniele Capone

Emanuele Galdi

Abdul Samad

Domenico Veneziano

2024

Jay Mehta

Hasan Sheet

Aditya Singh

Simone Quatrini

Vinayak Sakhare

Vaibhav Jain

Iliass Lahrach

Riccardo Malatesta

Patrick Justin Ciurdas

Pablo Santiago Gil

Alejandro Sanz

Siddesh Ningappa

Andrea Amaddio

Ujjawal Jaiman

Martino Ferrari