尊龙凯时 - 人生就是搏!

United Imaging Healthcare
Coordinated Vulnerability Disclosure Process

PREFACE

UIH is committed to help ensuring the safety and security of their customers' facilities.
UIH is prepared to work in good faith with individuals or groups who submit vulnerability reports through sending an email to UIH-CVD@myrinbow.com. UIH does not intend to engage in legal action against individuals or groups who:

  • Comply with laws and relevant regulations
  • Participate in testing of the system without harming anyone
  • Obtain permission/consent from customers before engaging in testing or vulnerability testing against their devices/software, etc.
  • Perform coordinated disclosure before a agreed deadline expires to avoid disclosing vulnerability details to the public
  • Avoid impact to the safety or privacy of anyone. In regards to medical products, particularly avoid impact to the safety or privacy of patients

Scope

This Coordinated Vulnerability Disclosure Statement applies to all UIH commercially available products.

This process is to be used for reporting potential new vulnerabilities within UIH Products. Vulnerabilities in operating systems and other third-party components should not be reported via this process.

VULNERABILITY HANDLING AND DISCLOSURE PROCESS

Discovery and reporting

Verification and evaluation

Handling

Disclosure

Discovery and reporting

To report a security vulnerability affecting an UIH product, or solution, please send an email to UIH-CVD@myrinbow.com. Please use our PGP Key to protect any sensitive details. Please do not include sensitive data (e.g., identifiable patient data) within the body of the email or any attachments (e.g., screenshots, images or log files).
UIH usually responds to incoming reports within four business days (reference: Shanghai, China).

Please report the following information:
·Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
·Affected product, solution, including model and firmware version (if available)
·Publicity of vulnerability (was it already publicly disclosed?)

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status.

UIH welcomes vulnerability reports from researchers, industry groups, partners and any other source as UIH does not require a nondisclosure-agreement as a prerequisite for receiving reports.

UIH respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to UIH products, solutions or infrastructure components.

UIH urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a '0-day situation' which puts UIH' customer systems at unnecessary risk.

To report a security vulnerability affecting an UIH product, or solution, please send an email to UIH-CVD@myrinbow.com. Please use our PGP Key to protect any sensitive details. Please do not include sensitive data (e.g., identifiable patient data) within the body of the email or any attachments (e.g., screenshots, images or log files).
UIH usually responds to incoming reports within four business days (reference: Shanghai, China).

Please report the following information:
·Description of vulnerability, including proof-of-concept exploit code or network traces (if available)
·Affected product, solution, including model and firmware version (if available)
·Publicity of vulnerability (was it already publicly disclosed?)

Everyone is encouraged to report discovered vulnerabilities, regardless of service contracts or product lifecycle status.

UIH welcomes vulnerability reports from researchers, industry groups, partners and any other source as UIH does not require a nondisclosure-agreement as a prerequisite for receiving reports.

UIH respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to UIH products, solutions or infrastructure components.

UIH urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a '0-day situation' which puts UIH' customer systems at unnecessary risk.

Verification and evaluation

UIH investigates and reproduces the vulnerability. If needed, UIH will request more information from the reporter.

Handling

UIH performs internal vulnerability handling in collaboration with the responsible development groups.

During this time, regular communication is maintained between UIH and the reporting party to inform about the current status and to ensure that the vendor's position is understood by the reporting party.

If available, pre-releases of software fixes may be provided to the reporting party for verification.

Disclosure

After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. UIH will use existing customer notification processes to manage the release of patches, which may include direct customer notification.

Vulnerability Details
For more detailed vulnerability information, please visit

A UIH security notification usually contains the following information:
·Identity of known affected products and software/hardware versions
·Information on mitigating factors and workarounds
·The location of available fixes

After the issue was successfully analyzed and if a fix is necessary to cope with the vulnerability, corresponding fixes will be developed and prepared for distribution. UIH will use existing customer notification processes to manage the release of patches, which may include direct customer notification.

Vulnerability Details
For more detailed vulnerability information, please visit

A UIH security notification usually contains the following information:
·Identity of known affected products and software/hardware versions
·Information on mitigating factors and workarounds
·The location of available fixes

友情链接: