Vulnerability Disclosure Policy

  1. Home
  2. Support
  3. Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Coroventis is committed to protecting against potential vulnerabilities that could affect the integrity and security of our products or the privacy of our patients and customers. The threat of cyberattacks to medical devices and other systems is constantly evolving. In response, we have established a disclosure program that is focused on reducing the cybersecurity risks from new and emerging threats, enabling us to continuously improve the security of our products.
We recognize the importance of incorporating cybersecurity considerations throughout our product development process and the need to collaborate and partner with security researchers, patients and our customers to understand new vulnerabilities that may be present in our products.

SCOPE

The scope of our cybersecurity coordinated product disclosure reporting process includes Medical Devices and Software as a Medical Device. It is not intended to provide technical support information on our products or for reporting Adverse Events or Product Quality Complaints.

CONTACT INFORMATION

If you have identified a potential security vulnerability or privacy issue with our products, please contact us by sending an email (in English) to info@coroventis.com

Please provide the following relevant information in your submission. We ask that you please refrain from including sensitive information (e.g., patient information) in any documents provided to Coroventis:

  • All necessary contact information (contact names, organization name, tracking numbers, email addresses, phone numbers) so that we can get in touch with you.
  • A technical description of the issue or vulnerability. This might include:
    • Exact product description, including name and version/model numbers, configuration details, serial numbers, etc.
    • Network configuration details (as appropriate)
    • Conditions required to reproduce the issue.
  • Information about the tools and techniques used to conduct the testing and any pertinent test configurations.
  • Specific proof-of-concept or exploit code if applicable.
  • Prior or intent of future notification to any other parties (vulnerability coordinators, regulatory entities, other impacted vendors, etc.) of the vulnerability providing any relevant details (tracking numbers, contact information, etc.).
  • Information regarding intent to publicly disclose reported vulnerability information
  • An indication if the vulnerability is being actively exploited, or is known to others.

WHAT WE ASK OF YOU

Upon submission of a vulnerability, Coroventis:

  • Will acknowledge receipt of the initial email within 5 business days.
  • Will evaluate and validate the reported findings, working with the appropriate product teams for review and verification. You may be contacted to provide additional information during this stage.

If the vulnerability is confirmed, Coroventis:

  • Will evaluate the potential impact. We will identify and take appropriate action.
  • Will provide status updates of the remediation process until the closure of the submission.

NOTICE

In the case you decide to share any information with Coroventis, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Coroventis is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Coroventis.