Coordinated Vulnerability Disclosure

Biohacking Village has established a routine practice of seeking, communicating and addressing cybersecurity issues in a timely fashion. Vulnerability disclosure is an essential component to our approach to transparency by enabling customers to manage risk properly through awareness and guidance.

Biohacking Village is committed to help ensuring the safety and security of the biomedical, technological ecosystem. Biohacking Village has formalized a process for handling reported security vulnerabilities in the biomedical product portfolio and IT infrastructure.

The Biohacking Village is prepared to work in good faith with individuals that submit vulnerability reports through ways described in section “Contact Information”. Biohacking Village openly accept reports and maintains a Hall of Thanks to credit individuals that ethically report security issues. Biohacking Village does not intend to engage in legal action against individuals who:

  • Engage in testing of systems/research without harming anyone.

  • Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc. 

  • Adhere to the applicable laws and comply with all applicable software license requirements. 

  • Perform coordinated disclosure, i.e. refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

  • Avoid impact to the safety or privacy of anyone. In regards to medical products, particularly avoid impact to the safety or privacy of patients. 

Overview

CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number. Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure

OUR PROCESS

REPORT

Biohacking Village welcomes vulnerability reports from security researchers and other external groups that wish to report a vulnerability about a software enabled device.

Analyse

Biohacking Village partners with the issue reporter to investigate and confirm the vulnerabilities. If confirmed, we work wth the manufacturer(s) to effectively respond to reported cybersecurity issues. Once validated, incident response teams will collaborate to determine objectives, scope, severity, and appropriate actions required to respond accordingly.

Coordinate

For awareness, Biohacking Village voluntarily reports to the U.S. Food and Drug Administration (FDA) and ENISA, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). We follow the FDA's Postmarket Management of Cybersecurity in Medical Devices guidance to properly communicate vulnerabilities to consumers.

Disclose

Our disclosures are posted to our and the Manufacturer Bulletins and Patches page in coordination with CISA's advisory.

1. Report

To report a security vulnerability affecting a product, solution or infrastructure component, please contact Biohacking Village using the ways described in section 'Contact Information'. Biohacking Village usually responds to incoming reports within one to three business day.

Please report the following information:

  • Description of vulnerability, including proof-of-concept exploit code or network traces (if available) 

  • Affected product, solution or infrastructure component, including model and firmware version (if available) 

  • Publicity of vulnerability (was it already publicly disclosed?) 

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. Biohacking Village welcomes vulnerability reports from researchers, industry groups, CERTs, partners and any other source as Biohacking Village does not require a nondisclosure-agreement as a prerequisite for receiving reports. Biohacking Village respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to medical, pharma, and laboratory products, solutions or infrastructure components. Biohacking Village urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts physicians, patients, laboratories, and healthcare delivery organizations at unnecessary risk. Those systems comprise significant parts of the worldwide critical infrastructure. 

2. Analysis

Biohacking Village  investigates the vulnerability with the manufacturer and reproduces the vulnerability. If needed, we or they will request more information from the reporter.

3. Handling

Biohacking Village performs vulnerability handling in collaboration with the responsible development groups. National and Governmental CERTs having a partnership with Biohacking Village may be notified about a security issue in advance. During this time, regular communication is maintained between Biohacking Village and the reporting party to inform about the current status and to ensure that the vendor’s position is understood by the reporting party. If available, pre-releases of software fixes may be provided to the reporting party for verification.

4. Disclosure

After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. Biohacking Village will use existing notification processes to manage the release of patches, which may include direct customer notification, or public release of a security advisory containing all necessary information on the Biohacking Village website (see section “Contact Information”).

A Biohacking Village Security Advisory usually contains the following information:

  • Description of the vulnerability with CVE reference and CVSS score 

  • Identity of known affected products and software/hardware versions 

  • Information on mitigating factors and workarounds 

  • The location of available fixes 

  • With the reporting party’s consent, credit is provided for reporting and collaboration.