Coordinated Vulnerability Disclosure Policy
EXINI Diagnostics AB Coordinated Vulnerability Disclosure
EXINI Diagnostics AB (“EXINI,” “we,” “our,” or “us”) is committed to ensure the safety and security of patients, customers and customer sites including protection of personal data. Our company recognizes the importance of security researchers to achieve these objectives. This policy is intended to set out under which circumstances it is allowed for security researchers to conduct security research on EXINI owned products, how to communicate with EXINI and what they can expect from us.
Scope
The purpose of this policy is to coordinate disclosure for vulnerabilities found in EXINI products and to allow time for investigation and handling of security patches to not put our customers and/or patients at unnecessary risk. EXINI encourages you to report vulnerabilities related to EXINI products by contacting support@exini.com.
EXINI does not intend to engage in legal action against individuals who in good faith report vulnerabilities according to EXINIs coordinated vulnerability disclosure policy, meaning that they:
- Notify us as soon as possible after they discover a real or potential security issue.
- Comply with applicable laws and regulations.
- Avoid affecting safety or privacy for patients and/or customers.
- Don’t disclose a vulnerability before an agreed timeframe.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only exploit to the extent necessary to confirm a vulnerability’s presence.
Out of scope for our vulnerability disclosure policy is:
- Security research involving phishing.
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
The procedure for vulnerability reporting and disclosure is as follows:
Report
We expect that individuals finding vulnerabilities in EXINI products report these to us through support@exini.com. The found vulnerability and affected product shall be clearly described. Information if this is a known vulnerability already disclosed shall also be included. EXINI urges that vulnerabilities found in our products shall not be immediately disclosed, as that can put patients and/or customers at risk.
We expect that the report is provided in English and includes:
- Affected device (including version).
- Description of vulnerability (including description of exploit code, proof of concept, sample package capture, network tracers, when discovered, where discovered).
- Operating system, browser, network connectivity in use when vulnerability was discovered.
- Known suspected threats related to the found vulnerability.
- Contact information to reporter/security researchers (anonymously reports are accepted).
Be careful to not include information that contains personally identifiable or protected health information.
Investigation, Vulnerability Handling and Disclosure
EXINI will internally report and investigate the vulnerability in a timely manner. If the reporter has chosen to share his/hers contact information with us, we are committed to coordinate with him/her as openly and as quickly as possible. Within 1 business day, we will acknowledge that the report has been received. We may contact the reporter for more information and to communicate the expected timeframe.
Handling and disclosure of the vulnerability will be managed through our internal procedures. This can include development of security patches and communication with affected customers. EXINI will collaborate with the reporter to decide on release of a public security advisory, which will include credit to the security researcher if wished.
Any questions regarding Coordinated Vulnerability Disclosure Policy
Our Products
GDPR
When you use aPROMISE to process patient information related to a patient who is a resident of the EU, you are responsible for ensuring that your organization complies with GDPR. In terms of GDPR you, as the user of aPROMISE, are the data controller and EXINI, as the service provider, is the data processor. In advance of processing data with aPROMISE, be sure that you have explicit consent from the patient whose data you are capturing. When data is sent to aPROMISE, it is stored in a secure manner, and is encrypted in transit and at rest.
Our Commitment
EXINI (‘we’ or ‘us’ or ‘our’) are committed and dedicated to ensuring the security and protection of the personal information that we process, and to provide a robust, continuous and consistent approach to data protection. Our objectives for GDPR and HIPAA compliance include the development and implementation of data protection roles, policies, procedures, controls and measures to ensure continuous safeguarding of the personal information under our remit.
How we are implementing GDPR and HIPAA
Policies & Procedures – Data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including HIPAA, are in place
Data Retention & Erasure – we have retention policies and are applying the privacy by design principle, meaning we store only data that is needed for the current task and only store it for as long as needed Data Breaches – as a medical device manufacturer we have breach procedures in place that ensure safeguards and measures to identify, assess, investigate and report any personal data breach at the earliest possible time
International Data Transfers & Third-Party Disclosures – when EXINI stores or transfers personal information outside the EU, we have robust procedures and safeguarding measures in place to secure,
encrypt and maintain the integrity of the data
Processor Agreements – when we use a third-party to process personal information on your behalf, we have data processor agreements and/or business associate agreements in place.