Coordinated Vulnerability Disclosure Policy

Aerin Medical is committed to ensuring the security and safety of its medical devices by providing a structured framework for reporting, investigating, and resolving medical device security vulnerabilities.  We value the contributions of those who help us identify and resolve vulnerabilities in our system while maintaining an open communication with the security community.

 

Scope

The scope of this program covers the Aerin Console developed by Aerin Medical including the device related software, hardware and associated systems.   The CVD process is not intended to be used for reporting complaints or quality issues.

 

Reporting Process

If you find a vulnerability that meets the scope and eligibility criteria of this program, please follow these steps to report it:

  1. Vulnerability Reports shall be submitted to security@aerinmedical.com with the subject line “Vulnerability Disclosure Program.”
  2. At a minimum the report should include the following:
    • Contact information
    • Product name and version
    • Detailed description of the vulnerability,
    • Date and time discovered
    • How the vulnerability was identified,
    • Steps to reproduce it,
    • Any supporting screenshots, videos, or code snippets.
  3. Additional information that will be useful to further identify the vulnerability includes but is not limited to:
    • Evidence if the vulnerability is being actively exploited
    • Potential impact and risk
    • Any potential remidation
    • Any plans or intentions for public disclosure
  4. Use encryption to protect any sensitive information or attachments.
  5. Do not include any personal information in your initial report.
  6. Wait for our confirmation and acknowledgment within 5 business days.
  7. Work with us to verify and resolve the vulnerability. We will keep you updated on the status and progress of the remediation process.
  8. Once the vulnerability is resolved, we will notify you.

 

Response

Aerin Medical appreciates the efforts to help us improve the security and safety of our medical devices. We commit to the following:

  1. A timely acknowledgement response to your email (within 5 business days).
  2. Aerin Medical will investigate the vulnerability.
  3. Communicate the findings to the appropriate product team and conduct a risk analysis.
  4. We will provide a summary of our findings and commit to being as transparent as possible about the remediation, timeline and issues or challenges that may extend it.
  5. An open dialog which may include status updates, issues, changes to plans.
  6. Disclosure of the vulnerability to its customers and/or public release of a security advisory, as appropriate.

 

Disclaimers

Aerin Medical will not pursue any legal action or initiate any law enforcement investigation against you if you comply with the rules and guidelines of this program and act in good faith. Aerin Medical will also not disclose your identity or personal information to any third parties without your consent unless required by law. If you follow the program’s scope and eligibility criteria, Aerin Medical will not hold you liable for any damages or losses caused by your testing or reporting of the vulnerability.

 

Contact

If you have any questions or feedback about this program, please email us at security@aerinmedical.com. We look forward to working with you and thank you for your interest and participation.

 

Security Advisories

Aerin Medical does not have any security advisories at this time.

Last Modified: 9 August 2024

WEB1321-20.A