Coordinated Vulnerability Disclosure(CVD) Policy

Purpose

The purpose of this process is to describe how Bloomer Tech shall perform and document the disclosure of cybersecurity vulnerabilities within Bloomer Tech products and services.

Scope

This document describes activities which are conducted on an iterative basis throughout the production and post-production phases of Bloomer Tech products. The scope of this procedure applies to all Bloomer Tech products and services which contain software.

Roles and Responsibilities

Coordinated Vulnerability Disclosure Policy

Bloomer Tech is committed to designing, manufacturing, and maintaining safe and secure medical devices, which means working and collaborating with our customers and security researchers to verify and respond to legitimate vulnerabilities.

Bloomer Tech has defined this Coordinated Disclosure Policy to facilitate this collaboration, outlining our commitment to ensuring the security and privacy of our devices and users.

Bloomer Tech Responsibilities

  • Provide coordinated disclosure policy and process on a publicly accessible medium.

  • Define criteria for vulnerability disclosure reports. (discussed below)

  • Provide tools to safely share information about security vulnerabilities.

  • Ingest and acknowledge the receipt of the report within (7) seven business days.

  • Escalate the report to the appropriate team to verify and reproduce the vulnerability.

  • Contact and collaborate with the security researcher during the previous step.

  • Determine if the vulnerability warrants disclosure as disclosed by the Cybersecurity Post Marketing Plan PDPROJ-2-CPMP of the product.

  • If the above step is valid, publish a notification on a publicly accessible medium.

  • Report the vulnerability to appropriate external parties such as Cyber Emergency Response Teams (CERTs), and Information Sharing and Analysis Organizations (ISAOs) as defined in the PDPROJ-2-CPMP Cybersecurity Post Marketing Monitoring Plan.

  • Release a patch or instructions to mitigate the vulnerability as described in the BloomerTAG Platform PDPROJ-2-CPMP Cybersecurity Post Marketing Monitoring Plan.

Product Security Bulletins

Bloomer Tech shall publicly announce and provide product security vulnerabilities on its website at https://www.bloomertech.com/product-security.

Posted vulnerabilities shall include the product affected and version, vulnerability name, and reference. References may include public resources such as ICS Advisory, NVD, CERT/CC, Microsoft Security Advisory, and others.

Posted vulnerabilities shall include those submitted via the coordinated disclosure process.

Security Researcher Responsibilities

Bloomer Tech expressly asks that security researchers comply with the following requirements:

  • Follow applicable laws and regulation, including computer security, anti-hacking and privacy laws

  • Avoiding testing on devices that are in a production environment or in use

  • Security researcher should avoiding testing that could:
    ○ Impact, hurt, or injure a patient
    ○ Leak private or sensitive information

  • Avoiding exploitation of the vulnerability and/or making changes to a live system

  • Never including any sensitive or personal information in online communications

Coordinated Vulnerability Disclosure Process

Security Researchers shall execute the following process to report potential vulnerabilities related to Bloomer Tech’s commercially available products. It is not meant for technical support information on Bloomer Tech products or reporting Adverse Events or Product Quality Complaints.


Submission Steps

Please get in touch with support@bloomertech.com and provide a GPG encrypted (all reports must be confidential and encrypted using BloomerTech’s GPG public-key) report in English that provides the following in this exact order:

  1. Personal Contact Information
    a. First and last name
    b. Organization
    c. Email address
    d. Phone number 

  2. Bloomer Tech Product Information
    a. Name
    b. Version
    c. Module, component, or environment (if known)

  3. Vulnerability Technical Description
    a. Name/Title
    b. Classification of vulnerability by using frameworks such as OWASP Top 10 or MITRE’s Common Weakness Enumeration (CWE)
    i. E.g., SQLi, buffer overflow, or XSS
    c. Severity 
    i. Using Common Vulnerability Scoring System (CVSS) 3.1 or higher rubric
    d. Vulnerability details
    i. What does the vulnerability do?
    ii. How did you find the vulnerability?
    1. What techniques did you use?
    2. What tools did you use?
    iii. Proof-of-concept or exploit code
    1. Include screenshots, images, project files, packet captures, etc.

  4. Vulnerability Exploitation
    a. Is there any indication that this vulnerability is being exploited?
    i. For example, sensitive data can be found on a public website

  5. Other Disclosures
    a. Have you disclosed to other parties such as regulators, coordinators, or vendors?

POLICY EFFECTIVE DATE: 08/01/2024