Coordinated vulnerability policy

  •  Purpose

The Coordinated Vulnerability Disclosure (CVD) process is a collaborative approach to handling the disclosure of security vulnerabilities. The purpose of a Coordinated Vulnerability Disclosure is to establish a framework for communication and collaboration between E-Scopics, its users, security researchers, and other stakeholders when a security vulnerability is identified in one of E-Scopics products.

 

E-Scopics recognizes the importance of addressing cybersecurity risks in medical devices to ensure patient safety and the integrity of its products. A Coordinated Vulnerability Disclosure process helps facilitate responsible reporting and handling of security vulnerabilities in a way that minimizes the potential risks to patients.

  •  Disclosure

How to disclose a vulnerability or an incident?

Please include the following information:

 

  • Sufficient contact information such as your organization and contact name so that E-Scopics can get in touch with you.

 

  • Description as detailed as possible of your discovery (e.g. time & date, product or service name, affected version information, operating system, software configuration of the computer or device configuration at time of discovering the incident) with clear, concise, reproducible steps. If applicable, please provide screenshots and/or videos. These can assist E-Scopics security team in reproducing the issue.

 

  • The impact of the vulnerability; if this bug were exploited, what could happen?

 

  • Recommended solution (optional, but appreciated)

 

E-Scopics security team will review, investigate, and validate your disclosure. Depending on the risk level associated with the disclosure, you will be informed about actions to take in order to remediate the incident / vulnerability and reduce its impact. Remediation typically involves installation of an upgrade or new version. As appropriate or necessary, E-Scopics should provide workarounds by which you can protect the affected product or service until a more permanent solution is implemented. 

 

Timelines to provide an update of the version are as follows:

Once the risk level associated with the disclosure is assessed, the E-Scopics team will conform to the following time table for communications and provision of product updates: 

 

Risk level

Communication

Timeline

HIGH

Direct Immediate communication (email) to prevent user from using app if needed, or inform on the precautions to be taken before update


Update 72 hours after a fix has been released.

MEDIUM

Workarounds by which users can protect the affected product or service until a more permanent solution is implemented. 

 

Information about mitigation strategies in release notes of the updated version


15 days to deliver a new release 

72 hours to deliver an update once the release is finalized.

LOW

Information about mitigations strategies (if mitigation is performed) in release notes of the updated version

Next release if necessary