Coordinated Vulnerability Disclosure (CVD) Policy

Organ Recovery Systems, Inc. (“ORS”) proudly supports organ donation and transplant professionals in their service to honor the gift of life and improve outcomes for their patients. Fundamental to that mission, ORS is committed to designing, manufacturing, and maintaining safe and secure medical devices. Because cybersecurity threats and vulnerabilities change rapidly, ORS is committed to working with the security researcher community to verify and respond to reported vulnerabilities and asks researchers to participate in our responsible reporting process outlined below.

Scope

ORS utilizes this coordinated disclosure process for security researchers to report potential vulnerabilities related to our commercially available medical devices and health software.

The CVD process is not meant for technical support information on ORS products or for reporting Adverse Events or Product Quality Complaints. For these other matters please contact the Corporate Office at +1.847.824.2600 or the 24/7 Perfusion Helpline at +1.866.682.4800.

ORS CVD Process

How to submit. If you have discovered a potential vulnerability related to an ORS product, we ask you to initiate contact by filling out the contact form located at https://www.organ-recovery.com/contact-us/ and select “Product Security” from the drop-down menu.

Submitter content. ORS will respond to you via encrypted email and request the following information:

  • Additional contact information so we can get in touch with you: your name, organization, email address and phone number
  • Whether you believe multiple vendors are affected
  • When and where the vulnerability was discovered
  • Technical description of the vulnerability and environment in which it was discovered
  • Name, version, and configuration details of the affected product
  • Specific impact and how you envision this vulnerability could be used in an attack
  • Information about the tools, techniques, technical infrastructure of test environment, including operating system and version and any relevant additional information, such as test configurations and network configuration details you used to discover this vulnerability
  • For web-based services, please provide the date and time of testing, URLs, the browser type and version, as well as the input provided to the application
  • Any proof of concept or exploit code
  • Any indications of the vulnerability being exploited
  • Prior or intended disclosure of vulnerability information to other parties (e.g. regulators, vulnerability coordinators, vendors). Please include reference/advisory number if applicable

Please do not include any sensitive personal information, such as sensitive/health information.

What ORS Will Do

  • We will acknowledge receipt of the report within 7 calendar days
  • We will notify the appropriate team to verify and reproduce the reported vulnerability. You may be contacted during this time to support our verification efforts
  • We will evaluate the reported vulnerability and conduct a risk analysis to determine appropriate action to take
  • Once determined, we will provide a summary of our findings
  • If ORS determines the issue warrants disclosure, we will publish notification on this page https://www.organ-recovery.com/product-security, and we will report it to the appropriate external parties such as Cyber Emergency Response Teams (CERTs) and Information Sharing and Analysis Organizations (ISAOs)
  • We may publicly acknowledge your contribution to improving the security of our products and services, subject to your agreement

Prioritization

Reports that include only crash dumps or other automated tools output may receive lower priority.

Additional Information for Security Researchers

By participating in this vulnerability disclosure process, you agree to abide by the following rules:

  • You will only conduct testing in secure environments
  • You will abide by all applicable laws and regulations
  • You will not conduct any testing or related activity that could result, directly or indirectly, in harm to individuals or damage to our systems and equipment
  • You will use best efforts to avoid violating the privacy of our customers, patients, employees, contractors, and affiliates, including by accessing or modifying their data. If you inadvertently encounter data that you reasonably believe to be confidential (e.g., personal data, trade secrets), you will notify us immediately and will not alter, exfiltrate, or transfer such data
  • You will not conduct any testing on devices while they are in use or on software that is in a production environment
  • You will not exploit any vulnerability beyond the minimum level required to validate the vulnerability
  • You will not make changes to a product or system after your testing is completed
  • You will not engage in social engineering against our customers, employees, contractors, or affiliates
  • You will not alter, degrade, or destroy the availability our systems, or the data that is on those systems
  • You will not physically access, degrade, or damage our datacenters or facilities
  • You will not publicly disclose the contents of your vulnerability report without our prior written consent

Notice

By submitting information through this process, you agree your submission will be governed by the ORS Privacy & Cookies Notice located at https://www.organ-recovery.com/privacy-policy/.

Your submission will be considered non-proprietary and non-confidential, and that ORS is allowed to use the information in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights for you or any obligations for ORS.