Bracco Diagnostics Inc.’s
Coordinated Vulnerability Disclosure Program

 

Through our relentless commitment to innovation, we optimize interventional decisions, equipping people with the power to get back to life. In support of this mission, we are committed to designing, manufacturing, and maintaining safe and secure medical devices. We recognize the role security researchers play in promoting secure design practices within the medical device industry.

 

Scope of Vulnerability Disclosure Program: The Coordinated Vulnerability Disclosure Program applies to all commercially available Bracco Diagnostics Inc. software-enabled products. This program is designed as a resource for security researchers to report security vulnerabilities to Bracco Diagnostics Inc.

 

 

 

Reporting Potential New Vulnerabilities

 

To submit a potential new vulnerability to Bracco Diagnostics’ Product Security Team, please send an encrypted email to Bracco Diagnostics Product Security using this PGP key.

 

When exchanging potential vulnerability information on a Bracco Diagnostics product, please contact us via email as soon as possible.

 

The coordinated vulnerability disclosure program is not designed for technical support information on Bracco Diagnostics’ products or for reporting adverse events or product quality complaints. If the discovered vulnerability or any other issue may have contributed to an adverse event, please make a report via your applicable complaint reporting process, as vulnerability reporting alone is not intended to include the reporting of an adverse event.

 

 

 

Submission guidelines

 

  • Keep details of all potential Bracco Diagnostics product vulnerabilities confidential.
  • Promptly inform Bracco Diagnostics of any discovered vulnerability and any communications made to regulatory organizations or other third parties.
  • Stay within the specified scope outlined in the Coordinated Vulnerability Disclosure Program.
  • Do not publicly disclose without prior engagement with Bracco Diagnostics Inc.
  • Perform testing in a safe environment. Do not perform testing in active clinical settings where patient care is provided.

 

 

 

Timelines for Bracco Diagnostics Inc. Response

 

  • Bracco Diagnostics will acknowledge receipt of submitted vulnerability details within five business days.
  • Bracco Diagnostics may request additional information to validate the submitted vulnerability.
  • Bracco Diagnostics will communicate the internal process and expected timelines for each vulnerability submitted.
  • Bracco Diagnostics will always communicate in writing. Phone calls may occur during the evaluation process, but all official communication will originate in email from the Bracco Diagnostics Product Security team.

For instance, to validate a submitted vulnerability, Bracco Diagnostics will engage internal teams to assess the impact, investigate and define the product’s remediation process, and develop transparent expectations of the implementation timeline.

 

 

US-N/A-2500006 02/25