Coordinated vulnerability policy
-
Purpose
The Coordinated Vulnerability Disclosure (CVD) process is a collaborative approach to handling the disclosure of security vulnerabilities. The purpose of a Coordinated Vulnerability Disclosure is to establish a framework for communication and collaboration between E-Scopics, its users, security researchers, and other stakeholders when a security vulnerability is identified in one of E-Scopics products.
E-Scopics recognizes the importance of addressing cybersecurity risks in medical devices to ensure patient safety and the integrity of its products. A Coordinated Vulnerability Disclosure process helps facilitate responsible reporting and handling of security vulnerabilities in a way that minimizes the potential risks to patients.
-
Disclosure
How to disclose a vulnerability or an incident?
- By sending an email to security@e-scopics.com.
Please include the following information:
- Sufficient contact information such as your organization and contact name so that E-Scopics can get in touch with you.
- Description as detailed as possible of your discovery (e.g. time & date, product or service name, affected version information, operating system, software configuration of the computer or device configuration at time of discovering the incident) with clear, concise, reproducible steps. If applicable, please provide screenshots and/or videos. These can assist E-Scopics security team in reproducing the issue.
- The impact of the vulnerability; if this bug were exploited, what could happen?
- Recommended solution (optional, but appreciated)
E-Scopics security team will review, investigate, and validate your disclosure. Depending on the risk level associated with the disclosure, you will be informed about actions to take in order to remediate the incident / vulnerability and reduce its impact. Remediation typically involves installation of an upgrade or new version. As appropriate or necessary, E-Scopics should provide workarounds by which you can protect the affected product or service until a more permanent solution is implemented.
Timelines to provide an update of the version are as follows:
Once the risk level associated with the disclosure is assessed, the E-Scopics team will conform to the following time table for communications and provision of product updates:
Risk level |
Communication |
Timeline |
HIGH |
Direct Immediate communication (email) to prevent user from using app if needed, or inform on the precautions to be taken before update |
|
MEDIUM |
Workarounds by which users can protect the affected product or service until a more permanent solution is implemented.
Information about mitigation strategies in release notes of the updated version |
72 hours to deliver an update once the release is finalized. |
LOW |
Information about mitigations strategies (if mitigation is performed) in release notes of the updated version |
Next release if necessary |