Elekta Coordinated Vulnerability Disclosure Statement

Elekta致力于确保我们开发和提供癌症护理的产品的安全和安全性。bob体育网赌Elekta欢迎安全研究人员和客户提供的宝贵捐款(“提交者”)。此协调漏洞披露策略旨在确保负责和简化的报告和处理产品安全漏洞的过程。

范围

This statement applies to all supported Elekta products, and solutions. The goal of Elekta in partnership with the submitter should always be to reduce risk and patient safety in the healthcare solutions impacted by any discovered vulnerability.

Legal Information

Elekta will not pursue legal action for those acting in good faith and in adherence to the coordination instructions and guidelines described in this policy, including compliance with all applicable laws.

Communicating with Elekta

To ensure proper handling of the disclosure in both directions, submitter should adhere to the following instructions:

  • 提交报告,最好用英语到ProductSecurity@elekta.com。
  • Use ourPGP公钥在此页面上可用以加密任何电子邮件提交。
  • 为我们提供安全问题或漏洞的详细技术信息,包括
    • 测试特定产品,包括产品名称和版本号
    • The technical infrastructure tested, including operating system and version; and any relevant additional information such as network details
    • 对于基于Web的产品,测试的日期和时间,URL,浏览器类型和版本以及提供给应用程序的输入
    • Details of the vulnerability discovered, how you discovered it, the impact and any potential remediation
    • Any evidence that this vulnerability is being exploited
    • 任何可以帮助Elekta验证该问题的附加信息,包括用于测试的工具
  • 在任何屏幕截图或其他文档或内容中,不包括敏感信息(除了与漏洞细节相关的信息之外)您提供给Elekta的其他文件或内容。
  • If submitter involved ICS-CERT, CERT/CC, relevant regulators, or other appropriate parties, share that information along with any tracking numbers provided.
  • 提供包括概念证明代码的报告,以允许Elekta更好的分类。

Elekta Responsibility

一旦我们收到了一份报告,Elekta会:

  • 在三(3)个工作日内确认收据。
  • 为提交人提供报表的唯一跟踪号码。
  • 对潜在的结果进行初步评估以确定准确性,需要升级和产品组升级。
  • 如果需要,请求其他信息以建立漏洞
  • 请随时了解您的报告状态
  • If the vulnerability is in a third-party component which is part of our product, we will refer the report to that third party and advise you of that notification. With your consent, share your contact information with the third-party.
  • 验证漏洞后,解决分辨率
  • Perform QA/validation testing on the resolution
  • 使用现有流程来管理修补程序或安全修复的发布,这可能包括直接客户通知或发布安全咨询
  • 如果要求,请在公开识别提供公众认可,如果报告导致公开发布的修复或沟通。
  • Where necessary or if we are unable to resolve communication issues or other problems, Elekta may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining best way to handle the vulnerability.

What is expected of Submitters?

Through this statement, Elekta expects the submitter to adhere to following guidelines.

  • Never perform any testing (or hacking) on active environments in use for patient care, patient diagnosis or monitoring (use test or development environments to perform vulnerability testing)
  • Comply with all applicable laws and regulations
  • 使用社会工程来获得系统的访问权限
  • Do not access, modify or delete any data in any account or system for which you do not have legal control
  • Do not take advantage of the vulnerability or any issue you have discovered; do not take any disproportionate or illegal actions including building backdoors into a system
  • We ask you to work with Elekta on selecting public release dates for information on discovered vulnerabilities to minimize the possibility of public safety, privacy and security risks
  • 在互相商定的时间范围到期之前,不要将漏洞细节披露给公众。公开披露之前,请告知我们您的披露计划。


与ELEKTA共享的任何信息都可以以ELEKTA确定的任何方式使用。提交任何信息不会为提交者创建任何权利,也不会为ELEKTA创造任何义务。