Vulnerability Disclosure Policy

We believe in responsible disclosure and coordinated vulnerability management to protect the healthcare ecosystem.

Our Commitment

The Biohacking Village is committed to working with security researchers and manufacturers to identify and remediate security issues in medical devices and healthcare systems. We follow a coordinated vulnerability disclosure (CVD) approach that prioritizes patient safety and gives manufacturers adequate time to develop and deploy fixes.

Report

Submit vulnerability details securely

Acknowledge

We respond within 5 business days

Coordinate

Work with manufacturer on timeline

Publish

Public disclosure after remediation

Reporting Guidelines

What to Report

  • Security vulnerabilities in medical devices
  • Authentication and authorization flaws
  • Data encryption and privacy issues
  • Network protocol vulnerabilities
  • Firmware and software security weaknesses

What Not to Report

  • Social engineering attempts
  • Outdated software or firmware (advise updating)
  • Non-reproducible or theoretical issues
  • Issues from automated scanning without verification
  • Third-party library vulnerabilities (contact library maintainers)

Disclosure Timeline

  • Initial acknowledgment: 5 business days
  • Manufacturer notification: 14 days
  • Coordinated remediation window: 90 days standard (negotiable)
  • Public disclosure: After patch availability or 90-day limit
  • CVE assignment: Upon request and verification

Report a Vulnerability

Send vulnerability reports to our security team. Include detailed information about the vulnerability, affected systems, and reproduction steps.

Click to reveal email

PGP key available upon request for sensitive submissions