Responsible Disclosure

Safety first

Fastweb considers data protection and the protection of its customers a priority and therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products to send an alert.

Our commitment

Fastweb considers data protection and the protection of its customers a priority and therefore adopts a safe development process for its systems, services and products at every phase, from design to release.

Despite this, occasionally, some vulnerabilities are not detected and / or occur once the product, application or service is released to the public. That is why, to further improve its levels of security and reliability, Fastweb has published this Responsible Disclosure procedure. Its aim is to involve researchers and more generally, cyber security enthusiasts to help the company to make its systems even safer and more reliable responsibly managing security vulnerabilities, in a mutual commitment to protect the security and privacy of its customers.

Fastweb therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products, such as

  • Fastweb portals, e.g. “.fastweb.it”, .fastwebnet.it domains (except www.gestione-documenti.fastweb.it and www.i-miei-documenti.fastweb.it);
  • Fastweb branded devices (e.g. ADSL modem-routers with the exception of mobile phones);
  • Fastweb branded mobile applications published on official stores (e.g. MyFastweb, WOW space, FASTcloud Drive, Fastmail, etc.);

to subscribe to the portal at this link and

Submit a report, agreeing to follow the responsible disclosure policy described below.
The report entered on the portal following the instructions given in the new report entry form, should contain the main information useful to allow us to identify and reproduce the vulnerability that you intend to report.
Keep discovered vulnerabilities strictly confidential and secret, undertaking not to disclose them or make them available to third parties until Fastweb communicates that it has applied the appropriate countermeasures, and in any case after sharing with us the contents that you intend to disclose, as mutual protection to avoid the unintentional disclosure of business information not related to the vulnerability and which must remain confidential.
Work with the Fastweb Security team and work groups involved.
Make every effort to avoid breaches of privacy, deterioration or suspension of services and destruction of data. In this regard, it is expressly forbidden to:
Access, modify or download data from an account for which you do not have rights; Implement actions similar to "Denial of Service" attacks or capable of damaging the functioning of any Fastweb asset or resource; Upload, link, run or send malicious code using Fastweb systems; Carry out tests the effect of which is to send unwanted messages, spam or other forms of unauthorised messages;

Once the report is received, Fastweb undertakes:

Not to take legal action against anyone who discovers and reports security breaches in compliance with this Responsible Disclosure policy. Any request for compensation (in cash or otherwise) for identified or suspected vulnerabilities will be deemed not to comply with this Responsible Disclosure policy.

Send an online feedback within 20 days, to provide information on the relevance of the report for the Responsible Disclosure process and on the outcome of the preliminary analysis carried out by Fastweb.

Publish the name of the reporter and/or the contact details provided in the Hall of Fame section, if the finding is positive and the reporter has requested it. It is understood, as defined above, that Fastweb considers the period of confidentiality of the information until the vulnerability is closed and the subsequent information is provided to the reporter.

Reports relating to the following cases are excluded from this Responsible Disclosure procedure and will therefore be rejected:

Results of automatic vulnerability assessment/penetration testing/Information Gathering tools (e.g. SQLmap, Owasp ZAP, nmap, etc.); Results of physical tests on networks (e.g. open door, tailgating); Results of Denial of Service attacks (DoS, DDoS), for which Fastweb reserves the right to take appropriate measures; All reports not related to the Responsible Disclosure process. Such reports will not be taken into account and no feedback will be provided. For phishing and/or spam problems we suggest to contact the mailbox abuse@fastweb.it, while for privacy problems we suggest to contact the mailbox privacy@fastweb.it; Findings on domains not directly managed by Fastweb or in any case not part of the above mentioned perimeter to which the program applies; Assessment results conducted through specialized sites (e.g. ssllabs.com, securityheaders.io, urlscan.io); Bugs relating to the User Interface or User Experience that do not constitute a security flaw (e.g. typing errors, in the page format) for which reference is made to the institutional channels of Customer Care (Call Center 192193, Private Message Facebook); Other reports related to low-impact vulnerabilities, such as clickjacking, weak captcha, lack of cookie flags (e.g. secure, HTTPOnly), lack of HTTP security headers;

Fastweb also does not plan to provide users participating in the program with resources such as accounts or dedicated test environments.

Fastweb reserves the right to update the Responsible Disclosure procedure described above at any time.

Hall of Fame

Fastweb thanks all those who have responsibly contributed to improving the security of its systems, services and products, demonstrating their excellent technical skills in the field of computer security!

2018
Raffaele Sabato
Ezio Paglia
Angelo Anatrella
Lorenzo Stella
2019
Francesco Iubatti
Andrei Manole
Federico Zambito
Simone Quatrini
Antonio Cannito
Michele Toccagni
Alessandro Sacco
Emanuele Gentili
Francesco Giordano
Alessandro Groppo
Alexander Bekk
Serge Lacroute
Ennio Campagna
Marco Nappi
Alessandro Moccia
Aaditya Kumar Sharma
Vincenzo Vetturelli
Riccardo Gasparini
Paolo Stagno
Hatim Chabik
Roman Paci
Aditya Shende
Abdul Ghaffar Afzal
Angelo Anatrella
Giantonio Chiarelli
Andrea Togni
Giorgio Di Grazia
Rutik Sangle
Pethuraj M
Yogeshwaran Chandrasekaran
2020
Abdel Adim Oisfi
Vivek Panday
Alessio Della Libera
Asim Sattar
Rahad Chowdhury
Alessandro Strino
Simone Quatrini
Antonio Arlia Ciombo
Roman Paci
Fabio Mariani
Marco Mezzaro
Luca Di Domenico
Shivprasad Sambhare
Harshal S. Sharma
Cesare Pizzi
Jawad Mahdi
Andrea Falso
2021
Chan Nyein Wai
Simone Quatrini
Giovanni Fazi
Richie from ZYB
Donato Di Pasquale
Michele Corrias
Paolo Carretto
Andrea Baesso
Pasquale Fiorillo
Donato Scaramuzzo
Jacopo Cavallo
Christian Danieli
Valerio Casalino
2022
Donato Scaramuzzo
Andrei Manole
Simone Paganessi
Simone Quatrini
Valerio Severini
Reando Veshi
Antonio Cannito
Abhith Damodaran
Alessandro Casale
Felipe Renzi
Nicola Concas
2023
Nguyen Phu Hung
Simone Quatrini
Hasan Sheet
Qais Qais
Patrick Justin Ciurdas
Daniele Capone
Emanuele Galdi
Abdul Samad
Domenico Veneziano
2024
Jay Mehta
Hasan Sheet
Aditya Singh
Simone Quatrini
Vinayak Sakhare
Vaibhav Jain
Iliass Lahrach
Riccardo Malatesta