Vulnerability Disclosure

Vulnerability Reporting.

In an effort to foster an open partnership with the security community, and in recognition that the work the community does is important to ensure patient safety and security. The following organizations have opted to use this form for their Coordinated Vulnerability Disclosure Process:

  • Diagnostic Grifols, SA.
  • Promenade Software, Inc

What you can expect from us:

  • Acknowledgement of form receipt within 5 business days
  • Best efforts to contact the device manufacturer directly.
  • If the manufacturer is an active member of MedISAO:
    • Escalation to the appropriate representative of Manufacturer
  • You may be contacted for more information by MedISAO or the manufacturer directly.

What we expect of you:

  • Avoid testing any products in a clinical setting or while being actively used by patients.
  • Avoid impact to the safety or privacy of any patients, by not releasing personal information on patients.
  • Comply with all laws and regulations.

  All information is encrypted with 4096-bit RSA before being sent to MedISAO's database. It is never stored unencrypted.

  This process is subject to change without notice and there may be case by case exceptions. MedISAO provides no guarantee of any particular response or action by manufacturers.

  If you have any questions, please email confidential@medisao.com


Instructions for Manually Sending Vulnerability Reports

If you want to send vulnerability reports to MedISAO you may email it to confidential@medisao.com

Please use PGP to encrypt the message and any file attachments.

If you need help feel free to email confidential@medisao.com

Please include the Manufacturer name, Product name, and a thorough description of the vulnerability.

MedISAO Public Key