Elekta Coordinated Vulnerability Disclosure Statement
Elekta is committed to ensuring the safety and security of the products we develop and provide for cancer care. Elekta welcomes the invaluable contributions offered by security researchers and by our customers (“submitter”). This Coordinated Vulnerability Disclosure policy is designed to ensure a responsible and streamlined process for reporting and handling of product security vulnerabilities.
This statement applies to all supported Elekta products, and solutions. The goal of Elekta in partnership with the submitter should always be to reduce risk and patient safety in the healthcare solutions impacted by any discovered vulnerability.
Elekta will not pursue legal action for those acting in good faith and in adherence to the coordination instructions and guidelines described in this policy, including compliance with all applicable laws.
Communicating with Elekta
To ensure proper handling of the disclosure in both directions, submitter should adhere to the following instructions:
- Submit report, preferably in English to firstname.lastname@example.org.
- Use our PGP public key available on this page to encrypt any email submissions.
- Provide us with detailed technical information of the security issue or vulnerability including
- Specific product tested, including product name and version number
- The technical infrastructure tested, including operating system and version; and any relevant additional information such as network details
- For web-based products, date and time of testing, URLs, the browser type and version, as well as the input provided to the application
- Details of the vulnerability discovered, how you discovered it, the impact and any potential remediation
- Any evidence that this vulnerability is being exploited
- Any additional information which can help Elekta verify the issue, including tools used for testing
- Do not include sensitive information (other than information related to the vulnerability details) in any screenshots or other documents or content you provide to Elekta.
- If submitter involved ICS-CERT, CERT/CC, relevant regulators, or other appropriate parties, share that information along with any tracking numbers provided.
- Provide reports that include proof-of-concept code to allow Elekta to better triage.
Once we have received a report, Elekta will:
- Acknowledge receipt within three (3) business days.
- Provide the submitter with a unique tracking number for your report.
- Perform an initial assessment on the potential findings to determine accuracy, need for escalation and product group to escalate to.
- Request for additional information if required to establish the vulnerability
- Keep you informed on the status of your report
- If the vulnerability is in a third-party component which is part of our product, we will refer the report to that third party and advise you of that notification. With your consent, share your contact information with the third-party.
- Upon verifying the vulnerability, work on a resolution
- Perform QA/validation testing on the resolution
- Use existing processes to manage the release of patches or security fixes, which may include direct customer notification or release of security advisory
- Provide the researcher with public recognition if requested and if the report results in a publicly released fix or communication.
- Where necessary or if we are unable to resolve communication issues or other problems, Elekta may bring in a neutral third party (such as CERT/CC, DHS-ICS-CERT, or the relevant regulator) to assist in determining best way to handle the vulnerability.
What is expected of Submitters?
Through this statement, Elekta expects the submitter to adhere to following guidelines.
- Never perform any testing (or hacking) on active environments in use for patient care, patient diagnosis or monitoring (use test or development environments to perform vulnerability testing)
- Comply with all applicable laws and regulations
- Using social engineering to gain access to the system
- Do not access, modify or delete any data in any account or system for which you do not have legal control
- Do not take advantage of the vulnerability or any issue you have discovered; do not take any disproportionate or illegal actions including building backdoors into a system
- We ask you to work with Elekta on selecting public release dates for information on discovered vulnerabilities to minimize the possibility of public safety, privacy and security risks
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires. Inform us of your disclosure plans, if any, prior to public disclosure.
Any information shared with Elekta may be used in any manner determined appropriate by Elekta. Submitting any information will not create any rights for the submitter, nor will it create any obligations for Elekta.