CMR Vulnerability Handling and Disclosure Process
Overview
CMR commits to continuously maintaining and improving the security of our customers and patients.
This page details our approach to handling security vulnerability disclosures in our products and ICT infrastructure.
We are happy to accept reports for our products and ICT infrastructure though the contact details at the bottom of the page.
We do not plan to take legal action against anybody who:
- Performs security research without causing harm.
- Conforms with laws, regulations and contractual terms.
- Takes part in planned and ethical disclosure – not releasing vulnerability information in a public forum before mutual agreement with CMR
- Avoids negatively affecting the privacy or safety of anybody, especially to patients of our system
Vulnerability process
Reporting
Please use the Contact Information below. We will usually respond within 3 working days.
Information to include:
- Details of the vulnerability including technical information, code, steps to reproduce, where possible
- What systems or products are affected, their version numbers if relevant
- How public is the vulnerability – has there been a public disclosure yet?
Anybody is welcome to report a vulnerability, regardless of their relationship to CMR. We don’t require an NDA with a reporting party to receive their report.
We will address any vulnerability that can be reasonably linked to a CMR product or ICT infrastructure.
Handling
CMR will log, acknowledge and review the report. We may request more details from the reporter.
CMR’s Information Security Team will pass the vulnerability on to the relevant internal team for assessment and remediation. The Information Security team will stay in contact with the reporter until the vulnerability is either remediated or accepted within our risk management.
Disclosure
When a technical resolution like a patch or fix is required, these will be created and prepared for delivery.
Where surgical systems need to be updated, we will use our existing channels and service arrangements with our customers to communicate and distribute the patch.
Where digital products or ICT infrastructure needs to be updated, the relevant CMR teams will manage the remediation internally and inform any parties who have a need to know.
Contact
Please email [email protected]
We currently can only respond to emails written in English.