The Coordinated Vulnerability Disclosure (CVD) process is established by ZOLL® to provide a structured framework for the responsible reporting, investigation, and resolution of ZOLL medical device security vulnerabilities. The goal of this process is to ensure the safety, security, and reliability of our medical devices while maintaining open communication with the security community.
Scope
The Coordinated Vulnerability Disclosure (CVD) process applies to all software, hardware, and associated systems developed and provided by ZOLL for external use. The CVD process is not intended to provide technical support on our products or for reporting Adverse Events or Quality Complaints.
For ZOLL Product Customer Support, please visit https://www.zoll.com/contact/customer-service.
What we ask from you
- Comply with all applicable laws and regulations of your location and the location in which the ZOLL product is located;
- Do not use a vulnerability to take disproportionate action, such as exploiting a vulnerability other than to prove its existence, removing sensitive data from the product or creating a backdoor within or otherwise introducing further vulnerability into a product for subsequent use;
- Do not engage in research or testing of systems where there is any risk of patient harm;
- Do not test products or network infrastructure in clinical settings or other active environments where the products are being used for any type of patient diagnosis, treatment, care or monitoring, or could inadvertently be used in this way;
- Any product intended for subsequent use in a clinical setting should be returned to its original state when testing is concluded.;
- Do not disclose vulnerability details to the public before a mutually agreed-upon timeframe with ZOLL has expired
- Reports written in English, if possible
Note: Reports that include only crash dumps or other automated tool output may receive lower priority.
Reporting Procedure
- Coordinated Vulnerability Disclosure Reports shall be submitted via email to [email protected] with the following information:
- Contact Information (Name, Organization, Email, telephone number)
- Name and version of product/products affected
- Describe the vulnerability and how it was discovered
- Is there evidence that this vulnerability is being actively exploited?
- Do you plan to publicly disclose this vulnerability?
- Would you like to be credited with discovering the vulnerability if we publish a document addressing the vulnerability?
- Following initial report, ZOLL Product Security will provide you with a method to securely transfer detailed vulnerability information.
What to expect from ZOLL
- We will acknowledge receipt of your report within 4 business days
- We will assign you an individual as POC for your report and continued communication
- We will investigate the potential vulnerability
- We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.
- We will conduct a risk analysis to determine appropriate action
- We will provide you a summary of our findings throughout process
- We will provide credit for discovery of the vulnerability, if requested
Notice
In the event, you decide to share any information with ZOLL, you agree that the information you submit will be considered as non-proprietary and non-confidential and that ZOLL is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for ZOLL.