MOBERG ANALYTICS
Coordinated Vulnerability Disclosure POLICY
Moberg Analytics Coordinated Vulnerability Disclosure Policy
Moberg Analytics is committed to ensuring the safety and security of our customers. As such, Moberg Analytics has developed the Coordinated Vulnerability Disclosure Policy in order to detail how vulnerabilities in the Moberg Clinical Platform shall be responsibly reported, investigated, and resolved. This is done to ensure the Moberg Clinical Platform’s safety, effectiveness, and security as well as maintain open communication with good-faith security researchers in the security community.
This framework enumerates how vulnerabilities should be reported, acceptance criteria, and how Moberg Analytics will respond to disclosed vulnerabilities.
Full credit will be given to researchers who submit a vulnerability report once the Moberg Analytics product security team has accepted and validated the report.
Scope
This Policy applies to the following systems and services provided by Moberg Analytics:
- Moberg Clinical Platform
Acceptable Testing Practices
Moberg Analytics will not take legal action against good-faith security researchers that submit a vulnerability report through our vulnerability reporting system. Legal action will not be taken against good-faith security researchers who:
- Comply with applicable laws and regulations in their location and the location of the product they are testing;
- Do not test systems whose damaging could directly or indirectly increase risk of patient harm, including products in active clinical settings where products are used for patient monitoring;
- Do not use vulnerabilities to take actions other than proving a vulnerability’s existence, such as removing essential or non-essential data, introducing further vulnerabilities, or permanently compromising the functions of the product;
- Return products to their original state after completing their testing if they are to be used in a clinical setting;
- Maintain confidentiality of vulnerability details until a mutually agreed-upon timeframe with Moberg Analytics has expired;
- Receive permission from customers prior to performing testing on their device.
The following test methods are not permitted:
- Network denial of service (DoS or DDoS) tests (or equivalent) that hinder access to the system or damage the system/data
- Non-technical vulnerability testing, including but not limited to: social engineering, others
Reporting Procedure
Vulnerability reports should be submitted via email at support@moberganalytics.com. Please be sure to include all of the information listed below to expedite the process of addressing the vulnerability.
Prioritization and Acceptance Criteria
The following criteria detail how Moberg Analytics will prioritize and triage vulnerability report submissions.
What we expect from you:
- Reports written in English (if possible);
- Information regarding how the vulnerability was found, the impact, and potential remediations/workarounds;
- Proof-of-concept code to aid in the triaging process;
- Plans for public disclosure;
- Reports that include only crash dumps or output from automated tools may be assigned lower priority.
What to expect from Moberg Analytics:
- A response to the initial vulnerability report within 3 business days;
- After triaging, Moberg Analytics will provide an expected remediation timeline and potential issues/challenges that could cause delays in this timeline;
- An open dialogue to discuss the issue and others that may arise;
- Notification of vulnerability assessment progress after the completion of each phase;
- Full credit after the vulnerability has been validated and remediated.
Communication with Customers
Moberg Analytics recognizes the importance of keeping customers up to date on patches, updates, potential vulnerabilities, and other pertinent security information. As such, for all remediations, patches, and updates to the software, emails will be concurrently sent out to all users detailing the information as remediations are deployed.
Emails (or equivalent communication) shall be sent to all users with information on patches and updates as they are deployed.
If a vulnerability has been discovered, the Company shall provide the following to customers via email (or equivalent communication):
- A description of the vulnerability including an impact assessment based on the Company’s current understanding,
- A statement that the Company’s efforts are underway to address the risk of patient harm as expeditiously as possible,
- A description of compensating controls, if any, and
- A statement that the Company is working to fix the vulnerability, or a defense-in-depth strategy to reduce the probability of exploit and/or severity of harm, and assurance that the Company will communicate regarding the availability of a fix in the future.