Coordinated Vulnerability Disclosure Process
Arthrex is fully committed to delivering uncompromising quality to the health care professionals who use our products, and ultimately, the millions of patients whose lives we impact. Arthrex follows a comprehensive cybersecurity approach to secure its products through the Secure Product Development Framework (SPDF). Following best practices and secure design, Arthrex continually strives to maintain a high standard of security and privacy throughout the software product life cycle.
Arthrex has developed a formalized approach for handling reported security vulnerabilities for products. Arthrex encourages and welcomes vulnerability reports from researchers, industry groups, CERTs, partners, and other sources. The disclosure of security vulnerabilities is part of Arthrex's commitment to ensure the security and safety of our product portfolio.
Note: This vulnerability disclosure program is not intended for technical support information on our products or for reporting adverse events or product quality complaints. If you need to report one of these, please visit Arthrex - Global Product Support.
Note: Arthrex does not participate in a bug bounty program or provide compensation for reported vulnerabilities.
Guidelines
We require that all researchers:
- Engage in testing of systems/research without harming anyone and only within the scope of our vulnerability disclosure program.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Make sure to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or to pivot to other systems.
- Collaborate with Arthrex to work on a resolution before disclosing the vulnerability publicly.
- Comply with all applicable laws.
If you follow these guidelines when reporting an issue to us, we commit to:
- Work with you to understand and resolve the issue.
- Keep you informed about the progress of a vulnerability as it is processed.
Scope
Arthrex only accepts vulnerability reports for actively maintained medical devices, software as a medical device, and mobile medical applications.
In the interest of the safety of our users, staff, and you as a security researcher, the following types of testing/findings are excluded from scope:
- Findings from physical testing such as office access (eg, open doors, tailgating)
- Findings derived primarily from social engineering (eg, phishing, vishing)
- Findings from applications or systems not listed in the "Scope" section
- Network-level denial of service (DoS/DDoS) vulnerabilities
Report a Security Vulnerability
If you believe you've found a security vulnerability in one of our products or platforms, please send it to us by emailing productsecurity@arthrex.com. Please include the following details with your report, in English, if possible:
- Your contact information so that we may get in touch with you
- Product name
- Affected version(s)
- Potential impact and severity estimate
- Possible root cause
- A detailed description of the tools and steps required to reproduce the vulnerability (proof-of-concept scripts, screenshots, and compressed screen captures are all helpful to us)
- Any prior notifications to other parties
Note: Reports that include only crash dumps or other automated tool output may receive lower priority.
We prefer security researchers to encrypt security reports. Please use our PGP key:
- Email: productsecurity@arthrex.com
- [PGP Key]
- PGP fingerprint: 766F97D7717A124F3DC9420D4E492F33C48EC56A
Notice
In the case you decide to share any information with Arthrex, you agree that the information you submit will be considered as nonproprietary and non-confidential and that Arthrex is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Arthrex.