Last updated: 03 June 2024
Coordinated Vulnerability Disclosure Statement
Masimo acknowledges the crucial contributions of security researchers in safeguarding our products and data. Our commitment to product and service security is unwavering, recognizing the significant implications of vulnerabilities. We advocate for the ethical disclosure of vulnerabilities and to investigate all credible reports.
Scope
This policy covers all medical devices and software applications manufactured, distributed, or sold by Masimo.
Certain activities and vulnerabilities are out of this policy’s scope, these include without limitation:
- Vulnerabilities found in services directly related to operating systems;
- Vulnerabilities found in third-party components; and
- Security testing that may degrade, disrupt, or negatively impact services or user experiences (e.g., denial of service, brute force, password spraying).
Vulnerability Reporting Process
Researchers should initially contact us via email at TechService-US@masimo.com to notify us of a potential vulnerability.
We request that as part of your initial contact you include information available regarding:
- A high-level description of the vulnerability;
- Specifications for the affected device (for example: version, model, or serial numbers);
- Any pertinent information regarding the computers, network connectivity, and firmware configurations, or tools in use when the vulnerability was discovered;
- A description of the potential exploit code, proof of concept, and sample packet capture as applicable;
- When and where the vulnerability was discovered;
- Known or suspected threats relating to the vulnerability (including any known or suspected exploitation);
- Whether the vulnerability is known to any other parties or has been reported to government/regulatory agencies;
- If you communicated vulnerability information to vulnerability coordinators such as CISA or other parties, please advise us and provide their tracking number, if one has been made available.
- Preferred method of communication and contact information for continued communications with you, if applicable
- We recommend communication in English for clarity and efficiency.
Upon receipt, our team will provide specific instructions on how to securely submit the detailed vulnerability report. If necessary, we will request more information from the reporter.
The reporter must enable encryption for all email communication to ensure the security of the information being exchanged.
Please refrain from including sensitive confidential information, such as patient information, in any screenshots or other information you provide to us.
Submission Requirements
To facilitate a constructive and efficient resolution process, we request detailed vulnerability disclosure that include:
- Limit actions to verifying the existence of a vulnerability without exploiting it for any purpose beyond proof, including avoiding data extraction, or introducing new vulnerabilities.
- Refrain from public disclosure of vulnerabilities until after a coordinated disclosure period agreed upon with us.
- Avoid research on systems where there's a risk of harm to patients, particularly avoiding testing on products or infrastructure in clinical or other sensitive settings where they're used for patient care, patient diagnosis, or patient monitoring, or could impact such activities.
- Avoid research on other systems currently in active use.
- Promptly inform us of any communications with government/regulatory bodies or other third parties regarding discovered vulnerabilities.
We urge researchers to conduct their investigations ethically, without violating privacy laws or damaging Masimo products, user data, or user experience.
Our Commitment to Researchers
When researchers submit vulnerability reports, they can anticipate the following responses from our team:
- Within 5 calendar days of your submission, you will receive confirmation that we have received your report. This initial acknowledgment is our commitment to you that your findings are being taken seriously and are in the process of being evaluated by our security team.
- Throughout the vulnerability verification and resolution process, we are committed to providing you with consistent updates about our review of your report. Our goal is to maintain a transparent and open line of communication, making sure you are fully informed about the progress we're making on addressing your submission.
- For a verified vulnerability, we will notify the appropriate product teams.
- We will determine if a patch/upgrade or other suggested mitigations are appropriate for the vulnerability, corresponding fixes will be developed and prepared for distribution.
- We will then publicize and release patches, upgrades, or other suggested actions. These may involve direct customer notification or public release of an advisory notification on our website.
- We understand the importance of protecting your identity and the sensitive information contained within your report. We will not disclose any information that could potentially reveal your identity without obtaining your explicit consent beforehand.
Expectations After Submission
By submitting information through this process, you agree that:
- Masimo is allowed to use the information regarding the vulnerability (other than any personal data of the submitter/researcher) in any manner, in whole or in part, without any restriction.
- Submitting such information does not create any rights for you or any obligations for Masimo including any payment obligations.
- You do not have any proprietary or confidentiality rights to the submitted information.