Last Updated: November 6, 2024
PURPOSE
The purpose of this policy is to provide a structured process for security researchers to report vulnerabilities, ensure timely assessment and remediation, and foster a collaborative relationship with the security community. Our goal is to enhance the security of our medical devices and protect patient safety.
SCOPE
This policy applies to all medical devices developed, manufactured, and maintained by ATEC. It covers vulnerabilities related to software, hardware, and firmware components of our products.
RESPONSIBILITIES
INFORMATION SECURITY – individual or group responsible for receiving, reviewing and addressing, as appropriate, reported vulnerabilities to vulnreport@atecspine.com.
POLICY
INTRODUCTION
At ATEC, we are committed to ensuring the security and safety of our medical devices. We recognize the importance of collaboration with the security research community to identify and address vulnerabilities. This Coordinated Vulnerability Disclosure Policy outlines our approach to receiving, managing, and disclosing vulnerabilities in accordance with FDA guidelines and applicable standards.
REPORTING VULNERABILITIES
How to report:
Security researchers are encouraged to report vulnerabilities by emailing: vulnreport@atecspine.com
Information to include:
-
-
- Description of the vulnerability;
- Affected product and version;
- Steps to reproduce the issue;
- Potential impact of the vulnerability;
- Any suggested mitigations; and
- Your contact information for follow-up.
ACKNOWLEDGEMENT AND RESPONSE
We will acknowledge receipt of your vulnerability report within 3 business days.
Our security team will conduct an initial assessment of the reported vulnerability within 10 business days.
VULNERABILITY HANDLING AND REMEDIATION
Triage and Validation: Our security team will triage and validate the reported vulnerability. If necessary, we may reach out to you for additional information or clarification.
Risk Assessment: Each validated vulnerability will undergo a risk assessment to determine its severity and potential impact on patient safety and product performance.
Remediation Plan: Based on the risk assessment, we will develop a remediation plan, which may include patch development, mitigation measures, or product updates.
Resolution and Disclosure: Upon remediation, we will inform the reporter of the resolution and, where appropriate, publicly disclose the vulnerability and its fix(es).
SAFE HARBOR
We value the contributions of security researchers and are committed to fostering a collaborative environment. Researchers who adhere to this policy and act in good faith will not face legal action from ATEC. We request that researchers:
-
-
- Avoid violating privacy, destroying data, or disrupting services; and
- Provide us with a reasonable time to remediate the vulnerability before disclosing it publicly.
COMPLIANCE WITH REGULATORY REQUIREMENTS
This policy aligns with FDA guidelines for postmarket management of cybersecurity in medical devices and complies with applicable standards, including ANSI AAMI SW96. We commit to continuous improvement and regular review of our vulnerability disclosure processes to ensure compliance with evolving regulatory requirements.
CONTACT INFORMATION
For any questions or concerns regarding this policy, please contact us at vulnreport@atecspine.com.
