Scroll Top

Product Vulnerability Disclosure Reporting

Our first responsibility is to the doctors, nurses and patients, families and all others who use our products. The commitment to safety is part of our DNA. Especially in making decisions and development of our products and services. With the changing healthcare landscape, cybersecurity has always been and will continue to be an integral part of our focus on safety.

Qardio recognizes the valuable efforts that security researchers play in highlighting cybersecurity vulnerabilities and concerns. Therefore, we are introducing our Coordinated Vulnerability Disclosure Process to enable us to effectively partner with the research community and better leverage their findings. This will also promote collaboration and external party reporting of medical device vulnerabilities, outlined below.

Scope

The scope of our vulnerability reporting process includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications. It is not for technical support information on our products or for reporting Adverse Events or Product Quality Complaints. If you need to report one of these, please visit https://www.qardio.com/about-us/#contact.

How to Contact Us

If you identify a potential security vulnerability or privacy issue with products from Qardio, please contact us by sending an email to security@getqardio.com.

Once we have received the message, appropriate personnel will be in touch.

The security@getqardio.com email address is intended only for the purposes of reporting security vulnerabilities or privacy issues in medical device products from Qardio.

What We Expect of You

We are willing to work in good faith with security researchers who test and submit vulnerabilities according to the following guidelines:

  • Avoid impact on the safety or privacy of our customers, by altering a product that a patient uses or by releasing personal information on patients.
  • Avoid testing any of our products being actively used by patients or in clinical settings, as it could cause a device malfunction. Additionally, do not use a device on patients or in a clinical setting if a device has undergone security testing.
  • Please provide: the name, version and configuration details of the affected product; a description of the vulnerability and the environment with which it was discovered; description of the specific impact and how you perceive it may be used in an attack.
  • Comply with all laws and regulations in the course of your testing activities.

What You Can Expect

Once we have received a vulnerability submission, Qardio will:

  • Within 10 business days, acknowledge receipt of the initial email.
  • Escalate the potential findings to the appropriate product teams for verification and reproduction. You might be contacted to provide some additional information.
  • Confirm the existence of the vulnerability and the potential impact. If the vulnerability impacts patient safety, we will work to develop a resolution and then will take appropriate action. All other potential vulnerabilities will be evaluated and addressed according to the risk associate with it.

All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.

* By contacting us, you agree that the information you provide will be governed by our site’s “Privacy Policy”.

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.