Vulnerability Disclosure Policy
We believe in responsible disclosure and coordinated vulnerability management to protect the healthcare ecosystem.
Our Commitment
The Biohacking Village is committed to working with security researchers and manufacturers to identify and remediate security issues in medical devices and healthcare systems. We follow a coordinated vulnerability disclosure (CVD) approach that prioritizes patient safety and gives manufacturers adequate time to develop and deploy fixes.
Report
Submit vulnerability details securely
Acknowledge
We respond within 5 business days
Coordinate
Work with manufacturer on timeline
Publish
Public disclosure after remediation
Reporting Guidelines
What to Report
- Security vulnerabilities in medical devices
- Authentication and authorization flaws
- Data encryption and privacy issues
- Network protocol vulnerabilities
- Firmware and software security weaknesses
What Not to Report
- Social engineering attempts
- Outdated software or firmware (advise updating)
- Non-reproducible or theoretical issues
- Issues from automated scanning without verification
- Third-party library vulnerabilities (contact library maintainers)
Disclosure Timeline
- Initial acknowledgment: 5 business days
- Manufacturer notification: 14 days
- Coordinated remediation window: 90 days standard (negotiable)
- Public disclosure: After patch availability or 90-day limit
- CVE assignment: Upon request and verification
Report a Vulnerability
Send vulnerability reports to our security team. Include detailed information about the vulnerability, affected systems, and reproduction steps.
Click to reveal emailPGP key available upon request for sensitive submissions
