CMR Vulnerability Handling and Disclosure Process

Overview

CMR commits to continuously maintaining and improving the security of our customers and patients.

This page details our approach to handling security vulnerability disclosures in our products and ICT infrastructure.

We are happy to accept reports for our products and ICT infrastructure though the contact details at the bottom of the page.

We do not plan to take legal action against anybody who:

Performs security research without causing harm.
Conforms with laws, regulations and contractual terms.
Takes part in planned and ethical disclosure – not releasing vulnerability information in a public forum before mutual agreement with CMR
Avoids negatively affecting the privacy or safety of anybody, especially to patients of our system

Vulnerability process

Reporting

Please use the Contact Information below. We will usually respond within 3 working days.

Information to include:

Details of the vulnerability including technical information, code, steps to reproduce, where possible
What systems or products are affected, their version numbers if relevant
How public is the vulnerability – has there been a public disclosure yet?

Anybody is welcome to report a vulnerability, regardless of their relationship to CMR. We don’t require an NDA with a reporting party to receive their report.

We will address any vulnerability that can be reasonably linked to a CMR product or ICT infrastructure.

Handling

CMR will log, acknowledge and review the report. We may request more details from the reporter.

CMR’s Information Security Team will pass the vulnerability on to the relevant internal team for assessment and remediation. The Information Security team will stay in contact with the reporter until the vulnerability is either remediated or accepted within our risk management.

Disclosure

When a technical resolution like a patch or fix is required, these will be created and prepared for delivery.

Where surgical systems need to be updated, we will use our existing channels and service arrangements with our customers to communicate and distribute the patch.

Where digital products or ICT infrastructure needs to be updated, the relevant CMR teams will manage the remediation internally and inform any parties who have a need to know.

Contact

Please email [email protected]

We currently can only respond to emails written in English.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.