The number of manufacturers in cyber safety industries who have coordinated vulnerability disclosure programs is quickly growing. We encourage more engagement between manufacturers and researchers, along the lines of our Position on Disclosure.
- Johnson and Johnson
- St. Jude Medical
- Orion Health
- Beckman Coulter
- Boston Scientific
- Thermo Fisher Scientific
- Smiths Medical
- Radiometer Medical
- Medical Device Information Sharing and Analysis Organization (MedISAO)
- Leica Biosystems
- Roche Diagnostics
Third-Party Vulnerability Coordinators and other disclosure resources
- CERT/CC – Part of the a non-profit Software Engineering Institute (SEI).
- US-CERT or ICS-CERT – The US government’s incident handling and vulnerability coordination organizations.
- FDA – The US regulator for medical devices has asked researchers to reach out by email with questions or issues AskMedCyberWorkshop@fda.hhs.gov
- Bug Crowd, HackerOne, SynAck – Companies that run disclosure programs for other organizations, and may help coordinate with organizations not on their platform.
- Email common addresses, such as security@, psirt@, safety@, productsecurity@, etc.
- See if anyone in your network has contacts at the company, without inadvertently disclosing the issues.
Resources for Companies
- The US Department of Commerce, National Telecommunications and Information Administration (NTIA) partnered with security researchers, industry, and others in creating a template and guidance document for vulnerability disclosure in safety critical systems.
- ISO/IEC 29147 Standard for Vulnerability Disclosure (free download)
- ISO/IEC 30111 Standard for Vulnerability Handling Processes
If you know of other public coordinated vulnerability disclosure policies or resources, we ask that you let us know. info -at- iamthecavalry.org