ChiudiChiudi Questo sito usa cookies di profilazione, propri e di terzi, per adeguare la pubblicità alle tue preferenze.
Clicca qui per maggiori informazioni o per conoscere come negare il consenso. Se chiudi questo banner o accedi ad altri elementi della pagina acconsenti all'uso dei cookies.
  • search in
    #All #News #Press Release

Responsible Disclosure

Safety first

Fastweb considers data protection and the protection of its customers a priority and therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products to send an alert.

Our commitment

Fastweb considers data protection and the protection of its customers a priority and therefore adopts a safe development process for its systems, services and products at every phase, from design to release.

Despite this, occasionally, some vulnerabilities are not detected and / or occur once the product, application or service is released to the public. That is why, to further improve its levels of security and reliability, Fastweb has published this Responsible Disclosure procedure. Its aim is to involve researchers and more generally, cyber security enthusiasts to help the company to make its systems even safer and more reliable and to guarantee the safety and privacy of its customers, responsibly managing security vulnerabilities.

Fastweb therefore would ask anyone who has discovered a vulnerability in one of its systems, services or products, such as

  • Fastweb portals, e.g. “” domain (except and;
  • Fastweb branded devices (e.g. ADSL modem-routers with the exception of mobile phones);
  • Fastweb branded mobile applications published on official stores (e.g. MyFastweb, WOW space, FASTcloud Drive, Fastmail, etc.);

to send a report following the Responsible Disclosure policy below:

Please send the report to, including the following information:

The type of vulnerability detected (e.g. OWASP Top 10 category) and potential impact; The portal, application, service or device impacted by the vulnerability; A detailed description of the problem (in order to be able to replicate it); A zip file containing all the material that can help to replicate the problem. The maximum file size cannot exceed 10MB; The identification data (name, surname, any organization you work for, any links to sites or social networks) for publication in the Hall of Fame (if explicit authorisation is given); The IP address from which the vulnerability was discovered and the date/time of detection; Consent or non-consent to pass your data to the technology manufacturer involved in the report, for possible direct contact; Whether or not you are willing to be included in the Fastweb's Responsible Disclosure Hall of Fame section;

The email can be encrypted using the following : PGP key:
PGP key: 0xD794D11B - Fingerprint: 2657C6774227AB32A78B74F330D5E865D794D11B

Keep discovered vulnerabilities strictly confidential and secret, undertaking not to disclose them or make them available to third parties for a period of time to be agreed with Fastweb to allow the company to identify and apply the appropriate countermeasures.
Work with the Fastweb Security team and work groups involved.
Make every effort to avoid breaches of privacy, deterioration or suspension of services and destruction of data. In this regard, it is expressly forbidden to:
Access, modify or download data from an account for which you do not have rights; Implement actions similar to "Denial of Service" attacks or capable of damaging the functioning of any Fastweb asset or resource; Upload, link, run or send malicious code using Fastweb systems; Carry out tests the effect of which is to send unwanted messages, spam or other forms of unauthorised messages;

Once the report is received, Fastweb undertakes:

Not to take legal action against anyone who discovers and reports security breaches in compliance with this Responsible Disclosure policy. Any request for compensation (in cash or otherwise) for identified or suspected vulnerabilities will be deemed not to comply with this Responsible Disclosure policy.

Send a confirmation email within 20 days, confirming that the report has been received and providing information regarding the relevance of the report in relation to the Responsible Disclosure process and on the outcome of the preliminary analysis carried out by Fastweb.

Provide a time frame for resolving the vulnerability and agree accordingly on the date by which the name will be published in the "Hall of Fame" section. Fastweb reserves the right to extend the period of confidentiality and therefore the date of publication, giving appropriate notice to the person who sent the report should additional time be required to correct the vulnerability.

Manage the reporting in an appropriate manner to comply with the time frames indicated and, if a vulnerability has been appropriately reported and has not yet been resolved, to publicly thank the author in the "Hall of Fame" section, if permission has been given.

Reports relating to the following cases are excluded from this Responsible Disclosure procedure:

Results of automatic vulnerability assessment/penetration testing/Information Gathering tools (e.g. SQLmap, Owasp ZAP, nmap, etc.); Results of physical tests on networks (e.g. open door, tailgating); Results of Denial of Service attacks (DoS, DDoS), for which Fastweb reserves the right to take appropriate measures; All reports not related to the Responsible Disclosure process. Such reports will not be taken into account and no feedback will be provided. For phishing and/or spam problems we suggest to contact the mailbox, while for privacy problems we suggest to contact the mailbox; Findings on domains not directly managed by Fastweb or in any case not part of the above mentioned perimeter to which the program applies; Assessment results conducted through specialized sites (e.g.,,; Bugs relating to the User Interface or User Experience that do not constitute a security flaw (e.g. typing errors, in the page format) for which reference is made to the institutional channels of Customer Care (Call Center 192193, Private Message Facebook); Other reports related to low-impact vulnerabilities, such as clickjacking, weak captcha, lack of cookie flags (e.g. secure, HTTPOnly), lack of HTTP security headers;

Fastweb also does not plan to provide users participating in the program with resources such as accounts or dedicated test environments.

Fastweb reserves the right to update the Responsible Disclosure procedure described above at any time.

Hall of Fame

Fastweb thanks all those who have responsibly contributed to improving the security of its systems, services and products, demonstrating their excellent technical skills in the field of computer security!

Raffaele Sabato
Ezio Paglia
Angelo Anatrella
Lorenzo Stella
Francesco Iubatti
Andrei Manole
Federico Zambito
Simone Quatrini
Antonio Cannito
Michele Toccagni
Alessandro Sacco
Emanuele Gentili
Francesco Giordano
Alessandro Groppo
Alexander Bekk
Serge Lacroute
Ennio Campagna
Marco Nappi
Alessandro Moccia
Aaditya Kumar Sharma
Vincenzo Vetturelli
Riccardo Gasparini
Paolo Stagno
Hatim Chabik
Roman Paci
Aditya Shende