United Imaging Healthcare
Coordinated Vulnerability Disclosure Process
To report a security vulnerability affecting an UIH product, or solution, please send an email to UIH-CVD@myrinbow.com. Please use our PGP Key to protect any sensitive details. Please do not include sensitive data (e.g., identifiable patient data) within the body of the email or any attachments (e.g., screenshots, images or log files).
UIH usually responds to incoming reports within four business days (reference: Shanghai, China).
Please report the following information:
·Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
·Affected product, solution, including model and firmware version (if available)
·Publicity of vulnerability (was it already publicly disclosed?)
Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status.
UIH welcomes vulnerability reports from researchers, industry groups, partners and any other source as UIH does not require a nondisclosure-agreement as a prerequisite for receiving reports.
UIH respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to UIH products, solutions or infrastructure components.
UIH urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a '0-day situation' which puts UIH' customer systems at unnecessary risk.To report a security vulnerability affecting an UIH product, or solution, please send an email to UIH-CVD@myrinbow.com. Please use our PGP Key to protect any sensitive details. Please do not include sensitive data (e.g., identifiable patient data) within the body of the email or any attachments (e.g., screenshots, images or log files).
UIH usually responds to incoming reports within four business days (reference: Shanghai, China).
Please report the following information:
·Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
·Affected product, solution, including model and firmware version (if available)
·Publicity of vulnerability (was it already publicly disclosed?)
Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status.
UIH welcomes vulnerability reports from researchers, industry groups, partners and any other source as UIH does not require a nondisclosure-agreement as a prerequisite for receiving reports.
UIH respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to UIH products, solutions or infrastructure components.
UIH urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a '0-day situation' which puts UIH' customer systems at unnecessary risk.After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. UIH will use existing customer notification processes to manage the release of patches, which may include direct customer notification.
A UIH security notification usually contains the following information:
·Identity of known affected products and software/hardware versions
·Information on mitigating factors and workarounds
·The location of available fixes
After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. UIH will use existing customer notification processes to manage the release of patches, which may include direct customer notification.
A UIH security notification usually contains the following information:
·Identity of known affected products and software/hardware versions
·Information on mitigating factors and workarounds
·The location of available fixes