Coordinated Vulnerability Disclosure
Biohacking Village has established a routine practice of seeking, communicating and addressing cybersecurity issues in a timely fashion. Vulnerability disclosure is an essential component to our approach to transparency by enabling customers to manage risk properly through awareness and guidance.
Biohacking Village is committed to help ensuring the safety and security of the biomedical, technological ecosystem. Biohacking Village has formalized a process for handling reported security vulnerabilities in the biomedical product portfolio and IT infrastructure.
The Biohacking Village is prepared to work in good faith with individuals that submit vulnerability reports. Biohacking Village openly accepts reports and maintains a Research Recognition page to credit individuals that ethically report security issues, and a Security Advisory page where coordinated disclosures are published.
Biohacking Village does not intend to engage in legal action against individuals who:
- Engage in testing of systems/research without harming anyone
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing
- Adhere to applicable laws and comply with all software license requirements
- Perform coordinated disclosure (refrain from disclosing vulnerability details before agreed-upon timeframe)
- Avoid impact to the safety or privacy of anyone, particularly patients using medical products
Overview
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number. Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.
Our Process
Report
Security researchers report vulnerabilities to us through our secure disclosure inbox
Analyse
We partner with reporters to investigate and confirm vulnerabilities with manufacturers
Coordinate
We work with FDA, CISA, and EU agencies to properly manage the disclosure process
Disclose
Public disclosure coordinated with CISA and posted to our Security Advisory page
Recognition
Formal recognition of researchers for their contribution to patient safety
Report
To report a security vulnerability affecting a product, solution or infrastructure component, please contact Biohacking Village using our secure disclosure inbox (click to reveal email). Biohacking Village usually responds within three to five business days.
Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. We welcome reports from researchers, industry groups, CERTs, partners and any other source. We do not require an NDA as a prerequisite for receiving reports and respect anonymous reports if requested.
Please report the following information:
- •Description of vulnerability, including network traces and workflow
- •Your contact information (name, organization, email, phone)
- •Technical description including affected products/devices/systems
- •Testing environment and tools used
- •Whether you've notified other parties (regulatory agencies, vendors, etc.)
Analysis
Biohacking Village investigates the vulnerability with the manufacturer and reproduces it. If needed, we will request more information from the reporter to ensure complete understanding of the issue.
Handling
Biohacking Village performs vulnerability handling in collaboration with responsible development groups. National and Governmental CERTs having a partnership with us may be notified about a security issue in advance. During this time, regular communication is maintained between Biohacking Village and the reporting party. Pre-releases of software fixes may be provided for verification if available.
Disclosure
After successful analysis and fix development, we publicly release a security advisory on the Biohacking Village website (see Security Advisory).
A Security Advisory typically contains:
- •Description of the vulnerability with CVE reference and CVSS score
- •Identity of known affected products and software/hardware versions
- •Information on mitigating factors and workarounds
- •The location of available fixes
- •Credit to the reporting party (with consent)
Ready to Report a Vulnerability?
Contact us to report security vulnerabilities or learn more about our coordinated disclosure process.
