Coordinated Vulnerability Disclosure Policy

Bigfoot Biomedical (Bigfoot) is committed to ensuring the safety and security of our customers, caregivers, and partners. Bigfoot has formalized our policy for accepting vulnerability reports about our products and services. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers, caregivers, and partners.

Scope
The scope of our coordinated vulnerability disclosure program includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications provided by Bigfoot.

Bigfoot’s Coordinated Vulnerability Disclosure Program currently covers the Bigfoot Unity product. 

This policy is not intended to provide technical support information on our products or for reporting Adverse Events or Product Quality Complaints. For technical support or to report an Adverse Event or Product Quality Complaint, please contact us via email: Support@BigfootBiomedical.com

How to Report a Vulnerability

To report a potential vulnerability, please complete the form below. Alternatively you may choose to contact Bigfoot Biomedical via email Security@BigfootBiomedical.com, but please supply the required information on the form. By submitting this form, you agree to abide by the rules outlined below.

Important Information:
We recognize the importance of the work performed by the security community to help safeguard the safety and security of Bigfoot customers and caregivers. We will not engage in legal action against individuals who submit reports through our Coordinated Vulnerability Disclosure process and enter into a legal agreement with us. 

We agree to work with individuals who:    

  • Engage in testing of systems/research without harming Bigfoot or its customers.
  • Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
  • Engage in vulnerability testing within the scope of our coordinated vulnerability disclosure program in accordance with the terms and conditions of any agreements entered into between Bigfoot and individuals.
  • Adhere to the laws of their location and the location of Bigfoot. For example, violating laws that would only result in a claim by Bigfoot (and not a criminal claim) may be acceptable as Bigfoot is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
  • Refrain from disclosing vulnerability details before any mutually agreed-upon timeframe expires.

Preference, prioritization, and acceptance criteria
We will use the following criteria to prioritize and triage submissions.  

What we would like to see from you

  • Reports written in English. 
  • Reports that include proof‐of‐concept code, which will better equip us to triage.   
  • How you found the vulnerability, the impact, and any potential remediation.   
  • Any plans or intentions for public disclosure.   

Note: Reports that include only crash dumps or other automated tool output may receive lower priority.

What you can expect from us

  • A timely response to your email (within 5 business days).
  • We will direct the potential findings to our security for verification and reproduction. You may be contacted to provide additional information at this stage. 
  • We will, following investigation of a report, confirm the existence of the vulnerability and the potential impact.  If the identified vulnerability is determined to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed based upon the associated risk.
  • An open dialog to discuss issues.   
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and resolved, if desired.   
  • We are committed to being as transparent as possible about the remediation timeline and issues or challenges that may be involved. 
  • If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability. 

All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.

Notice
In the event, you decide to share any information with Bigfoot Biomedical, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Bigfoot Biomedical is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Bigfoot Biomedical.

 

Request Vulnerability Coordination Assistance

To request additional information or report a suspected vulnerability, please contact our security group using this form.

SOP-200658 Rev D, APR 2023