Vulnerability Disclosure

Introduction

Anumana is committed to ensuring the safety and security of our products. We accomplish this by incorporating Cybersecurity across the total-product-lifecycle of our products and solutions, including the timely management of security vulnerabilities.

Our Coordinated Vulnerability Disclosure policy is intended to give security researchers and customers clear guidelines for reporting product security vulnerabilities to Anumana.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities. Anumana openly accepts vulnerability reports for currently supported products and solutions.

Scope

This statement applies to all supported Anumana medical products and solutions. Our goal in partnership with you as the submitter of a vulnerability is to reduce risk to patient safety by managing the impact and correcting the issues for our solutions impacted by new vulnerabilities.

The scope of our vulnerability reporting process does not include technical support information on our products or for reporting Product Quality Complaints. If you need to report one of these, please contact: productsupport@anumana.net

Contacting Anumana

If you have identified a potential security vulnerability affecting Anumana products please contact us by sending an email to productsupport@anumana.net.

You may use our PGP Public Key to encrypt your email submission. The Public Key can be found on PGP public key servers (keyserver.pgp.com) by the key id: 869D8EE249C8F635D4DF979E6F25B266D42E71DC

Do not include sensitive personal information in any screenshots or other documents or content you provide to us. Emails and reports should be written in English where possible.

When contacting us, please provide us with technical information including:

• The specific product tested, including product name and version.
• Details of the vulnerability discovered, how you discovered it, the impact, and any suggested fixes.
• The technical infrastructure used for testing, including operating systems, software, versions, network details, and any additional information which can help us verify the issue.
• For web-based products, please provide URLs, the browser type and version, date and time of testing, as well as the input provided to the application
• Any information that the vulnerability is already being exploited 

Expectations

We are willing to work in good faith with security researchers who test and submit vulnerabilities according to these guidelines:

• Comply with all laws and regulations in the course of your testing activities
• Avoid impacting the safety or privacy of our customers, specifically by altering a product that a patient uses or by releasing personal information on patients
• Do not use a device on patients or in a clinical setting if a device has been impacted during the course of security testing
• Do not access, modify or delete any data in any account or system for which you do not have legal control
• We ask you to partner with us on selecting public release dates for discovered vulnerabilities to minimize any patient safety, privacy, and security impacts. Please refrain from disclosing vulnerabilities to the public before our mutually-agreed timeframe expires.

Anumana Commitments:

Within 5 business days, we will acknowledge receipt of the initial email

• We will keep you informed on the status of your submission
• Escalate the potential findings for verification and reproduction. You may be contacted to provide additional information at this stage.
• Confirm the existence of the vulnerability and the potential impact. If the vulnerability impacts patient safety, we will work to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed according to the associated risk.
• Use our processes to manage the release of appropriate security patches or resolutions, which may include direct customer notification or release of a security advisory

All aspects of this process are subject to change without notice, as well as case-by-case exceptions.

Any information shared with Anumana may be used by Anumana without restriction. Submitting any information through this disclosure process does not create any rights or guarantees for the submitter nor does it create any obligations for Anumana.

By contacting us, you agree that the information you provide will be governed by our Privacy Policy and Terms of Use.