协调脆弱性披露

协调脆弱性披露

Elekta协调漏洞披露声明

Elekta is committed to ensuring the safety and security of the products we develop and provide for cancer care. Elekta welcomes the invaluable contributions offered by security researchers and by our customers (“submitter”). This Coordinated Vulnerability Disclosure policy is designed to ensure a responsible and streamlined process for reporting and handling of product security vulnerabilities.

Scope

此声明适用于所有支持的ELEKTA产品和解决方案。Elekta与提交者合作的目标应始终是降低受任何发现漏洞影响的医疗保健解决方案的风险和患者安全性。

法律信息

Elekta不会为善意行事,并遵守本政策中描述的协调指示和准则,包括遵守所有适用法律。

与Elekta沟通

为了确保在两个方向上正确处理本公开,提交者应遵循以下说明:

  • Submit report, preferably in English to productsecurity@elekta.com.
  • 用我们PGP public keyavailable on this page to encrypt any email submissions.
  • Provide us with detailed technical information of the security issue or vulnerability including
    • Specific product tested, including product name and version number
    • 技术基础设施测试,包括操作系统和版本;以及任何相关的附加信息,如网络细节
    • For web-based products, date and time of testing, URLs, the browser type and version, as well as the input provided to the application
    • 发现的漏洞的详细信息,您如何发现它,影响和任何潜在的修复
    • 任何证据表明这种漏洞正在被利用
    • Any additional information which can help Elekta verify the issue, including tools used for testing
  • Do not include sensitive information (other than information related to the vulnerability details) in any screenshots or other documents or content you provide to Elekta.
  • 如果提交者涉及ICS-Cerc,CER CC,相关监管机构或其他适当的缔约方,则与提供的任何跟踪号码共享该信息。
  • Provide reports that include proof-of-concept code to allow Elekta to better triage.

elekta责任

Once we have received a report, Elekta will:

  • Acknowledge receipt within three (3) business days.
  • Provide the submitter with a unique tracking number for your report.
  • Perform an initial assessment on the potential findings to determine accuracy, need for escalation and product group to escalate to.
  • Request for additional information if required to establish the vulnerability
  • Keep you informed on the status of your report
  • 如果漏洞是在我们产品的一部分的第三方组件中,我们将向该第三方提交报告,并告知您该通知。通过同意,与第三方分享您的联系信息。
  • Upon verifying the vulnerability, work on a resolution
  • 对分辨率进行QA /验证测试
  • Use existing processes to manage the release of patches or security fixes, which may include direct customer notification or release of security advisory
  • Provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.
  • 必要时或者我们无法解决沟通问题或其他问题,Elekta可能会带来中立的第三方(如Cert / CC,DHS-ICS-Cercer或相关监管机构),以协助确定处理的最佳方式脆弱性。

提交者的期望是什么?

通过本声明,Elekta希望提交人遵守以下指导方针。

  • 切勿在用于患者护理,患者诊断或监视(使用测试或开发环境以执行漏洞测试)的使用中使用任何测试(或黑客)
  • 遵守所有适用的法律法规
  • Using social engineering to gain access to the system
  • 不要访问,修改或删除您没有合法控制的任何帐户或系统中的任何数据
  • 不要利用您所发现的漏洞或任何问题;不要采取任何不成比例或非法行动,包括建造后门进入系统
  • 我们要求您使用Elekta在选择公开发布日期,了解有关发现漏洞的信息,以尽量减少公共安全,隐私和安全风险的可能性
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires. Inform us of your disclosure plans, if any, prior to public disclosure.


Any information shared with Elekta may be used in any manner determined appropriate by Elekta. Submitting any information will not create any rights for the submitter, nor will it create any obligations for Elekta.