MedISAO introduces Coordinated Vulnerability Disclosure process for members
Does your organization have a Coordinated Vulnerability Disclosure Process as advised by the FDA's Postmarket Cybersecurity Guidance?
MedISAO can take care of that for you! We recently launched a Coordinated Vulnerability Disclosure (CVD) program that can get you started, or augment your already established process.
What does it mean to be a part of this program?
MedISAO will act as a Coordinator for your Organization as defined in ISO/IEC 29147. It will host a form here where security researchers can submit vulnerability reports, and will forward those reports to your organization. On your organization's website and in documentation, you should direct users to this form as one of the accepted ways of submitting vulnerability information. Once the vulnerability has been verified and resolved or rejected by your organization, MedISAO will inform the reporter of actions taken, and disseminate advisories about the fix through its standard advisory process.
How can I sign up?
Email firstname.lastname@example.org with your MedISAO username to start the process.
Are there any costs associated with this program?
The Coordinated Vulnerability Disclosure program is free for all organizational members.
Does this mean I don't need to set up a Vulnerability Handling Program at my organization?
You still need to set up an internal vulnerability handling program at your organization that will handle vulnerability verification and response. For reference see ISO/IEC 30111:2013 or MedISAO's guide for how to set up a policy at your organization. If you need more help you can email us at email@example.com any time.
My organization already has an established Coordinated Vulnerability Disclosure Process. Should I still join MedISAO's program?
Yes! In addition to your already established process, MedISAO can serve as an additional avenue for receiving vulnerability information.