Coordinated Vulnerability Disclosure (English)
March 2021Gepubliceerd op: 26 juli 2021
At Streekziekenhuis Koningin Beatrix (SKB), Winterswijk we work hard to maintain and improve the security of our (medical) devices, systems and services. No matter how much effort we put into system security, there might be vulnerabilities present. If you discover a vulnerability you can report it safely via our Coordinated Vulnerability Disclosure, so the SKB can take safety measurements.
Reporting a vulnerability
If you have found a vulnerability, we would like to hear about it so that we can take appropriate measures as quickly as possible. The SKB is keen to cooperate with you to protect our clients and systems better.
If you comply with our Coordinated Vulnerability Disclosure policy we have no reason to take legal action against you regarding the reported vulnerability. We ask you to:
- Send your findings to SKB by sending an email to email@example.com.
- SKB will inform Z-CERT (see appendix, not in scope). Z-CERT is an organization who handles all cyber security issues on behalf of SKB. Z-CERT will work with you and the SKB to make sure that your report is handled with care.
- Provide adequate information to allow Z-CERT to reproduce the vulnerability which helps to resolve the problem as quickly as possible. An IP address or URL of the affected system with a description of the vulnerability will usually be sufficient, although more information might be necessary for more complex vulnerabilities.
- Do not exploit vulnerabilities, e.g. by downloading more data than is needed to demonstrate the vulnerability, looking into third-party data, deleting or modifying data.
- If you suspect to have access to medical data we ask you to let us verify this.
- Do not share information on vulnerabilities until they have been resolved and erase any data obtained through vulnerabilities as soon as possible;
- Do not attack physical security, use social engineering, distributed denial of service, spam, brute force attacks or third-party applications.
How we will handle your report
- SKB and Z-CERT will treat your report confidentially and will not share your personal data unless required by law;
- Z-CERT will send you an acknowledgement of receipt and will respond to your report with an evaluation and an expected resolution date within 5 working days;
- SKB and Z-CERT will keep you informed of the progress in resolving the problem;
- In communication about the reported problem we will mention your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve any vulnerability as soon as possible. Once the problem has been resolved we will decide in consultation whether and how details will be published.
Appendix: Not in scope
Z-CERT will not process reports of vulnerabilities or security issues that cannot be abused or are trivial. Below are a couple of examples of known vulnerabilities and issues that are outside the scope. This does not mean they are not important or should not be resolved, however our CVD process is meant for issues that can be actively abused. For example a vulnerabilities that can be abused by a public available exploit or a misconfiguration that can be used to bypass an existing security control. This list of exclusions is derived from a list used by the CERT of Surf (https://www.surf.nl/responsible-disclosure-surf).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages and content spoofing/text injections in these pages
- Fingerprinting/version disclosures op public services
- Public files or directories that do not contain confidential information
- Clickjacking problems that can only be exploited by clickjacking
- No secure/HTTP-only flags on unconfidentional cookies
- OPTIONS HTTP method enabled
- Rate-limiting without clear impact
All issues related to HTTP security headers, for example:
- SSL Forward secrecy disabled
- No TXT record for DMARC or a missing CAA-record
- Host header injection
- Reports of outdated versions of any software without a proof of concept of a working exploit