Product Security
Systems’ Product Security
Portal
Product Security
Systems’ Product Security
Portal
ACIST Medical Systems’ Coordinated Vulnerability Disclosure Program
Through our relentless commitment to innovation, we optimize interventional decisions, equipping people with the power to get back to life. In support of this mission, we are committed to designing, manufacturing, and maintaining safe and secure medical devices. We recognize the role security researchers play to promote secure design practices within the medical device industry.
Scope of Vulnerability Disclosure Program: The Coordinated Vulnerability Disclosure Program applies to all commercially available ACIST Medical Systems software enabled products. This program is designed as a resource for security researchers to report security vulnerabilities to ACIST.
Reporting Potential New Vulnerabilities
To submit a potential new vulnerability to ACIST’s Product Security Team, please send an encrypted email to BMT Product Security (BMT.ProductSecurity@bracco.com) using this PGP key.
When exchanging potential vulnerability information on an ACIST product, please contact us via email as soon as possible. Additional vulnerability disclosure program guidelines will be provided during the initial contact.
· PGP Key ID: 0x2765D81414BFDDE1D839D2C5BD5BC4EBA13F8FC7
· Email: bmt.productsecuirty@bracco.com
The coordinated vulnerability disclosure program is not designed for technical support information on ACIST products or for reporting adverse events or product quality complaints. If the discovered vulnerability or any other issue may have contributed to an adverse event, please make a report to customer.support@bracco.com as vulnerability reporting alone is not intended to include the reporting of adverse event.
Submission guidelines
- Keep confidential vulnerability details of all ACIST products.
- Promptly inform ACIST of any discovered vulnerability and any communications made to regulatory organizations or other third parties.
- Stay within the specified scope outlined in the Coordinated Vulnerability Disclosure Program.
- Do not publicly disclose without prior engagement with ACIST Medical Systems.
- Perform testing in a safe environment. Do not perform testing in active clinical settings where patient care is provided.
Timelines for ACIST response
- ACIST will acknowledge receipt of submitted vulnerability details within five business days.
- ACIST may request additional information to validate submitted vulnerability.
- ACIST will communicate the internal process and expected timelines for each vulnerability submitted.
- ACIST will always communicate in writing, phone calls may occur during the evaluation process, but all official communication will originate in email from the BMT Product Security team. For instance, to validate a submitted vulnerability, ACIST will engage internal teams to assess the impact, investigate and define the product’s remediation process and develop transparent expectations of the implementation timeline.
