Vulnerability Disclosure Policy

This policy outlines how Optomed manages the responsible disclosure of cybersecurity vulnerabilities in its medical devices and associated software systems.

Optomed Vulnerability Disclosure Policy (VDP)

 

1. Purpose

This policy outlines how Optomed manages the responsible disclosure of cybersecurity vulnerabilities in its medical devices and associated software systems. Our goal is to protect patient safety, ensure device integrity, and foster collaboration with the security research community. We want to ensure vulnerabilities are managed promptly and transparently, protecting users and meeting regulatory requirements.

2. Scope

This policy applies to:

  • All medical devices manufactured by Optomed
  • Associated software, mobile apps, cloud services, and firmware
  • Internal and external stakeholders, including researchers, customers, and regulators
  • All employees, contractors, suppliers, and external parties who interact with company systems, products, or data

 

3. Reporting Channels

Vulnerabilities may be identified via internal testing, third-party audits, customer feedback, or external reports.

Potential or suspected vulnerabilities may be reported through the following channel:

  • Via the vulnerability reporting form available on Optomed’s website

 

4. What to Include in a Report

Please provide:

  • Device name and model
  • Software version or firmware ID
  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact (e.g., data breach, device malfunction)
  • Any suggested mitigation or patch

 

5. Our Commitment

  • Acknowledge receipt within 5 business days
  • In case of an unacceptable risk for patient safety we follow FDA´s Medical Device Reporting (MDR) requirements and timelines
  • Collaboration to validate and remediate the issue may be pursued if feasible
  • Credit researchers (with consent) in public advisories
  • Avoid legal action against good-faith researchers

 

6. Coordinated Disclosure

We follow a 90-day disclosure window:

  • Researchers agree to keep findings confidential for 90 days
  • We aim to release patches or mitigations within this window
  • Public disclosure may occur earlier if risk warrants

 

7. Legal Safe Harbor

We will not pursue legal action against individuals who:

  • Act in good faith
  • Avoid harm to patients or systems
  • Do not exploit or disclose vulnerabilities beyond reporting

 

Questions regarding this policy may be sent to: ithelpdesk@optomed.com. We also invite you to contact us with suggestions for improving this policy.

 

Content last reviewed 2026-06-16 Version 1.0