GE HealthCare Coordinated Vulnerability Disclosure Statement v2.1

Updated August 2023

GE HealthCare Encourages Responsible Security Research

GE HealthCare recognizes the important role security researchers play in helping to promote secure design practices and security risk mitigation both within the medical device industry specifically and the healthcare ecosystem as a whole. We value the work done by security researchers and encourage proactive engagement with us on discovered vulnerabilities and proposed disclosure in a coordinated and responsible manner. This document sets out both our expectations of researchers conducting security research on GE HealthCare products in their interactions with us and others and also what they can expect from us.

Purpose

The purpose of the GE HealthCare Coordinated Vulnerability Disclosure Program is to coordinate the investigation and disclosure of potential new vulnerabilities in GE HealthCare products. The collective goal of security researchers and GE HealthCare should always be to reduce risk, with due consideration given to the entire operating environment impacted by any discovered vulnerability.

Scope

This Coordinated Vulnerability Disclosure Statement applies to all GE HealthCare commercially available products.

This process is to be used for reporting potential new vulnerabilities within GE HealthCare Products. Vulnerabilities in operating systems and other third-party components should not be reported via this process.

Reporting Pre-Requisites

Security researchers must adhere to the following pre-requisites throughout the research and disclosure process, including initial research and testing:

  • Comply with all applicable laws and regulations of your location and the location in which the GE HealthCare product is located;
  • Do not use a vulnerability to take disproportionate action, such as exploiting a vulnerability other than to prove its existence, removing sensitive data from the product or creating a backdoor within or otherwise introducing further vulnerability into a product for subsequent use;
  • Do not engage in research or testing of systems where there is any risk of patient harm;
  • Do not test products or network infrastructure in clinical settings or other active environments where the products are being used for any type of patient diagnosis, treatment, care or monitoring, or could inadvertently be used in this way;
  • Any product intended for subsequent use in a clinical setting should be returned to its original state when testing is concluded. Contact GE HealthCare for Service Assistance;
  • Ensure you obtain written permission from the owner of the GE HealthCare Product in advance of any testing to ensure that the scope is clear. If the product is leased from GE HealthCare, permission must be obtained from both GE HealthCare and the lessee;
  • Do not disclose vulnerability details to the public before a mutually agreed-upon timeframe with GE HealthCare has expired;
  • Do not operate outside of the scope described in this document; and
  • Do provide us with details of communication to regulatory organizations or other third parties about any discovered vulnerability, without delay.

How to Submit a Vulnerability

To submit a potential new vulnerability to GE HealthCare’s Product Security Team, please send an email to (GEHealthcareCVD@GE.com). Please use our PGP key, or other suitable encryption tools, to protect any sensitive details. Please do not include sensitive data (e.g., identifiable patient data) within the body of the communication or any attachments (e.g., screenshots, images or log files).

This CVD email is not to be used for inquiries related to already disclosed vulnerabilities or vulnerabilities in third-party components (not within GE Healthcare product software). Information related to previously disclosed vulnerabilities is available on the GE HealthCare Product Security Portal, or can be requested through a GE HealthCare Service Representative.

Preference, Prioritization and Acceptance Criteria

What we request of and expect from you:

  • Well-written reports in English have a higher chance of resolution;
  • Inclusion of essential details like geographical location of product, exact model and serial number, as well as software revision and method obtaining the system, will benefit the prioritization;
  • Reports that include proof-of-concept code equip us to better triage;
  • Reports about products or environments not within the scope of this statement may not be prioritized;
  • All information on how you discovered the vulnerability, what impact you see, your thoughts on CVSS scoring and suggested remediations will help support efficient interaction with us;
  • Include your goal of the disclosure to us or any intentions for public disclosure; and
  • Do not use this channel to report complaints about GE products currently in use. All customer complaints regarding the safety or performance of a GE HealthCare product in use should be made directly to a GE HealthCare Service Representative.

What you may expect from us:

  • We will acknowledge receipt of your message within four (4) business days;
  • In the following phase of initial triage and assessments, an appropriate member of the GE HealthCare Product Security Team may reach out to you to:
    • Request additional information, or
    • Communicate an expected process and timeline, or
    • Notify that the reported vulnerability is not accepted into the program due to not meeting program requirements or providing enough details;
  • Once sufficient information has been collected, and the report has been accepted, we will:
    • Further assess the report and investigate with relevant security and product engineering teams;
    • Communicate throughout the investigation and remediation process, with clear expectations on timeline; and
    • Communicate our final conclusion;
  • GE HealthCare is a MITRE CVE Numbering Authority (CNA) and can create its own CVE and NVD entries for disclosure if required.
  • We will provide public recognition for the security researcher (if requested) and if the report results in a public disclosure.

Where necessary, GE HealthCare may request a neutral third party to assist in resolution of the report.

By submitting a report, you acknowledge that GE HealthCare may use in an unrestricted manner (and allow others to do the same) any data or information that you provide to GE HealthCare. Your submission does not grant you any rights under GE HealthCare intellectual property or create any obligations for GE HealthCare.