Health IT Responsible Disclosure Policy

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers and other IT professionals must act responsibly. This is why we adhere to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, and may share details with the appropriate people, be they Healthcare organisations, or members of the Information Security community after 90 days has past, or sooner if the vendor releases a fix.

This deadline may vary in some circumstances, and we will always strive to be non-punitive in enforcing it. At all times we intend to act in good faith and will review each case to ensure that is the situation.

If we observe a vulnerability being actively exploited in the wild as part of a zero day, we believe that more urgent action may be required. In those circumstances we reserve the right to disclose to those who may be affected by this vulnerability to ensure they are able to take steps to prevent exploitation. In those circumstances we will provide the vendor with as much notice as possible before taking this action.

We call on all vendors to adopt disclosure deadlines in some form and give permission for this document to be reproduced verbatim if you find our reasoning compelling. Creating pressure towards more reasonably timed fixes will result in smaller windows of opportunity for malicious actors to abuse vulnerabilities, which serves to enhance patient care.