ZOLL Co-ordinated Vulnerability Disclosure Commitment


The Co-ordinated Vulnerability Disclosure (CVD) process is established by ZOLL® to provide a structured framework for the responsible reporting, investigation and resolution of ZOLL medical device security vulnerabilities. The goal of this process is to ensure the safety, security and reliability of our medical devices while maintaining open communication with the security community.

Scope

The Co-ordinated Vulnerability Disclosure (CVD) process applies to all software, hardware and associated systems developed and provided by ZOLL for external use. The CVD process is not intended to provide technical support on our products or for reporting Adverse Events or Quality Complaints.

For ZOLL Product Customer Support, please visit https://www.zoll.com/contact/customer-service.

What we ask from you

  • Comply with all applicable laws and regulations of your location and the location in which the ZOLL product is located;
  • Do not use a vulnerability to take disproportionate action, such as exploiting a vulnerability other than to prove its existence, removing sensitive data from the product or creating a backdoor within or otherwise introducing further vulnerability into a product for subsequent use;
  • Do not engage in research or testing of systems where there is any risk of patient harm;
  • Do not test products or network infrastructure in clinical settings or other active environments where the products are being used for any type of patient diagnosis, treatment, care or monitoring or could inadvertently be used in this way;
  • Any product intended for subsequent use in a clinical setting should be returned to its original state when testing is concluded.;
  • Do not disclose vulnerability details to the public before a mutually agreed-upon timeframe with ZOLL has expired
  • Reports written in English, if possible

Note: Reports that include only crash dumps or other automated tool output may receive lower priority.

Reporting Procedure

  1. Co-ordinated Vulnerability Disclosure Reports shall be submitted via email to [email protected] with the following information:
    1. Contact Information (Name, Organisation, Email, telephone number)
    2. Name and version of product/products affected
    3. Describe the vulnerability and how it was discovered
    4. Is there evidence that this vulnerability is being actively exploited?
    5. Do you plan to publicly disclose this vulnerability?
    6. Would you like to be credited with discovering the vulnerability if we publish a document addressing the vulnerability?
  2. Following initial report, ZOLL Product Security will provide you with a method to securely transfer detailed vulnerability information.

What to expect from ZOLL

  • We will acknowledge receipt of your report within 4 working days
  • We will assign you an individual as POC for your report and continued communication
  • We will investigate the potential vulnerability
  • We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.
  • We will conduct a risk analysis to determine appropriate action
  • We will provide you a summary of our findings throughout process
  • We will provide credit for discovery of the vulnerability, if requested

Notice

In the event, you decide to share any information with ZOLL, you agree that the information you submit will be considered as non-proprietary and non-confidential and that ZOLL is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for ZOLL.

Cybersecurity

Cybersecurity

Developing our products with cybersecurity in mind and adhering to relevant international standards and guidance documents.

Click here to learn more

Secure by Design

Interconnected healthcare solutions can help drive improved outcomes and more efficient systems. But they can also raise cybersecurity risks. ZOLL® is committed to ensuring the safety, effectiveness and security of our products.

Click here to learn more

Evaluating Threats

Evaluating known cybersecurity threats and advising customers so they are confident they can use our products safely and securely.

Click here to learn more

Co-ordinated Vulnerability Disclosers

Commitment to a Co-ordinated Vulnerability Disclosure (CVD) process.

Click here to learn more