Coordinated Vulnerability Disclosure Policy

EXINI Diagnostics AB Coordinated Vulnerability Disclosure

EXINI Diagnostics AB (“EXINI,” “we,” “our,” or “us”) is committed to ensure the safety and security of patients, customers and customer sites including protection of personal data. Our company recognizes the importance of security researchers to achieve these objectives. This policy is intended to set out under which circumstances it is allowed for security researchers to conduct security research on EXINI owned products, how to communicate with EXINI and what they can expect from us.


The purpose of this policy is to coordinate disclosure for vulnerabilities found in EXINI products and to allow time for investigation and handling of security patches to not put our customers and/or patients at unnecessary risk. EXINI encourages you to report vulnerabilities related to EXINI products by contacting

EXINI does not intend to engage in legal action against individuals who in good faith report vulnerabilities according to EXINIs coordinated vulnerability disclosure policy, meaning that they:

  • Notify us as soon as possible after they discover a real or potential security issue.
  • Comply with applicable laws and regulations.
  • Avoid affecting safety or privacy for patients and/or customers. 
  • Don’t disclose a vulnerability before an agreed timeframe. 
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only exploit to the extent necessary to confirm a vulnerability’s presence. 

Out of scope for our vulnerability disclosure policy is:

  • Security research involving phishing.
  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.

The procedure for vulnerability reporting and disclosure is as follows:


We expect that individuals finding vulnerabilities in EXINI products report these to us through The found vulnerability and affected product shall be clearly described. Information if this is a known vulnerability already disclosed shall also be included. EXINI urges that vulnerabilities found in our products shall not be immediately disclosed, as that can put patients and/or customers at risk. 

We expect that the report is provided in English and includes: 

  • Affected device (including version).
  • Description of vulnerability (including description of exploit code, proof of concept, sample package capture, network tracers, when discovered, where discovered).
  • Operating system, browser, network connectivity in use when vulnerability was discovered.
  • Known suspected threats related to the found vulnerability.
  • Contact information to reporter/security researchers (anonymously reports are accepted).

Be careful to not include information that contains personally identifiable or protected health information. 

Investigation, Vulnerability Handling and Disclosure

EXINI will internally report and investigate the vulnerability in a timely manner. If the reporter has chosen to share his/hers contact information with us, we are committed to coordinate with him/her as openly and as quickly as possible. Within 1 business day, we will acknowledge that the report has been received. We may contact the reporter for more information and to communicate the expected timeframe. 

Handling and disclosure of the vulnerability will be managed through our internal procedures. This can include development of security patches and communication with affected customers. EXINI will collaborate with the reporter to decide on release of a public security advisory, which will include credit to the security researcher if wished. 

Any questions regarding Coordinated Vulnerability Disclosure Policy


Our products

CURE8 logo