Biohacking Village has established a routine practice of seeking, communicating and addressing cybersecurity issues in a timely fashion. Vulnerability disclosure is an essential component to our approach to transparency by enabling customers to manage risk properly through awareness and guidance.
Biohacking Village is committed to help ensuring the safety and security of the biomedical, technological ecosystem. Biohacking Village has formalized a process for handling reported security vulnerabilities in the biomedical product portfolio and IT infrastructure.
The Biohacking Village is prepared to work in good faith with individuals that submit vulnerability reports, through ways described in section titled Report. Biohacking Village openly accept reports and maintains a Research Recognition page to credit individuals that ethically report security issues. Biohacking Village does not intend to engage in legal action against individuals who:
Engage in testing of systems/research without harming anyone.
Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
Adhere to the applicable laws and comply with all applicable software license requirements.
Perform coordinated disclosure, i.e. refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
Avoid impact to the safety or privacy of anyone. In regards to medical products, particularly avoid impact to the safety or privacy of patients.
CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number. Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure
Biohacking Village welcomes vulnerability reports from security researchers and other external groups that wish to report a vulnerability about a software enabled device in good faith.
Biohacking Village partners with the issue reporter to investigate and confirm the vulnerabilities. If confirmed, we work wth the manufacturer(s) to effectively respond to reported cybersecurity issues. Once validated, incident response teams will collaborate to determine objectives, scope, severity, and appropriate actions required to respond accordingly.
For awareness, Biohacking Village voluntarily reports to the U.S. Food and Drug Administration (FDA) and EU commission/ENISA, including the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA). We follow the FDA's Postmarket Management of Cybersecurity in Medical Devices guidance to properly communicate vulnerabilities to consumers.
Our disclosures are posted to our and the Security Advisory page in coordination with CISA's advisory.
Formal recognition, with consent, of the independent researchers for their contribution to patient safety, cybersecurity and technology awareness.
To report a security vulnerability affecting a product, solution or infrastructure component, please contact Biohacking Village using firstname.lastname@example.org. Biohacking Village usually responds to incoming reports within three to five business days.
Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. Biohacking Village welcomes vulnerability reports from researchers, industry groups, CERTs, partners and any other source as Biohacking Village does not require a nondisclosure agreement NDA as a prerequisite for receiving reports. Biohacking Village respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to medical, pharma, and laboratory products, solutions or infrastructure components. Biohacking Village urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts physicians, patients, laboratories, and healthcare delivery organizations at unnecessary risk. Those systems comprise significant parts of the worldwide critical infrastructure.
Please report the following information:
Description of vulnerability, including network traces (if available) and workflow (when, where and how it was discovered) to the vulnerability.
Your contact information, including name(s), organization name, email address and phone number so we can follow up with you. We never share your contact information.
Technical description of the concern or vulnerability, including
Which products/devices/systems it is impacting, including product numbers
Whether you were able to access any protected health information or other personally-identifiable information about any user or the product or system in which you disclosed the vulnerability. Please do NOT include any protected health information or other personally-identifiable information about others in your email submission.
Any additional information you think will be helpful to us, including details on the testing environment and tools used to conduct the testing
Whether you have notified anyone else about the potential vulnerability, such as regulatory agencies, vendors, vulnerability coordinators, etc.
Biohacking Village investigates the vulnerability with the manufacturer and reproduces the vulnerability. If needed, we or they will request more information from the reporter.
Biohacking Village performs vulnerability handling in collaboration with the responsible development groups. National and Governmental CERTs having a partnership with Biohacking Village may be notified about a security issue in advance. During this time, regular communication is maintained between Biohacking Village and the reporting party to inform about the current status and to ensure that the vendor’s position is understood by the reporting party. If available, pre-releases of software fixes may be provided to the reporting party for verification.
After the issue was successfully analyzed and if a fix is defined for the vulnerability, corresponding fixes will be developed and prepared for distribution by the manufacturer. Biohacking Village will use existing notification processes to manage the public release of a security advisory containing all necessary information on the Biohacking Village website (see Security Advisory).
A Biohacking Village Security Advisory usually contains the following information:
Description of the vulnerability with CVE reference and CVSS score
Identity of known affected products and software/hardware versions
Information on mitigating factors and workarounds
The location of available fixes
With the reporting party’s consent, credit is provided for reporting and collaboration.