GE HealthCare Coordinated Vulnerability Disclosure Statement v2.0
GE HealthCare Encourages Responsible Security Research
GE HealthCare recognizes the important role security researchers play in helping to promote secure design practices and security risk mitigation both within the medical device industry specifically and the healthcare ecosystem as a whole. We value the work done by security researchers, and encourage proactive engagement with us on discovered vulnerabilities and proposed disclosure in a coordinated and responsible manner. This document sets out both our expectations of researchers conducting security research on GE HealthCare products in their interactions with us and others and also what they can expect from us.
This Coordinated Vulnerability Disclosure Statement applies to all GE HealthCare commercially-available products. The collective goal of security researchers and GE HealthCare should always be to reduce risk, with due consideration given to the entire operating environment impacted by any discovered vulnerability.
Security researchers must adhere to the following pre-requisites throughout the research and disclosure process, including initial research and testing:
- Comply with all applicable laws and regulations of your location and the location in which the GE HealthCare product is located;
- Do not use a vulnerability to take disproportionate action, such as exploiting a vulnerability other than to prove its existence, removing sensitive data from the product or creating a backdoor within or otherwise introducing further vulnerability into a product for subsequent use;
- Do not engage in research or testing of systems where there is any risk of patient harm;
- Do not test products or network infrastructure in clinical settings or other active environments where the products are being used for any type of patient diagnosis, treatment, care or monitoring, or could inadvertently be used in this way;
- Any product intended for subsequent use in a clinical setting should be returned to its original state when testing is concluded. Contact GE HealthCare for Service Assistance;
- Ensure you obtain written permission from the owner of the GE Product in advance of any testing to ensure that the scope is clear;
- Do not disclose vulnerability details to the public before a mutually agreed-upon timeframe with GE HealthCare has expired;
- Do not operate outside of the scope described in this document; and
- Do provide us with details of communication to regulatory organizations or other third parties about any discovered vulnerability, without delay.
How to Submit a Vulnerability
To submit a vulnerability to GE HealthCare’s Product Security Team, please send an email to (GEHealthcareCVD@GE.com). Please use our PGP key, or other suitable encryption tools, to protect any sensitive details. Please do not include sensitive data (e.g. identifiable patient data) within the body of the communication or any attachments (e.g. screenshots, images or log files).
Preference, Prioritization and Acceptance Criteria
What we request of and expect from you:
- Well-written reports in English have a higher chance of resolution;
- Inclusion of essential details like geographical location of product, exact model and serial number, as well as software revision and method obtaining the system, will benefit the prioritization;
- Reports that include proof-of-concept code equip us to better triage;
- Reports about products or environments not within the scope of this statement may not be prioritized;
- All information on how you discovered the vulnerability, what impact you see, your thoughts on CVSS scoring and suggested remediations will help support efficient interaction with us;
- Include your goal of the disclosure to us or any intentions for public disclosure; and
- Do not use this channel to report complaints about GE products currently in use.All customer complaints regarding the safety or performance of a GE HealthCare product in use should be made directly to a GE HealthCare Service Representative.
What you may expect from us:
- We will acknowledge receipt of your message within four (4) business days;
- In the following phase of initial triage and assessments, an appropriate member of the GE HealthCare Product Security Team may reach out to you to:
- Request additional information, or
- Communicate an expected process and timeline, or
- Notify that the reported vulnerability is not accepted into the program due to not meeting program requirements or providing enough details;
- Once sufficient information has been collected, and the report has been accepted, we will:
- Further assess the report and investigate with relevant security and product engineering teams;
- Communicate throughout the investigation and remediation process, with clear expectations on timeline; and
- Communicate our final conclusion;
- We will provide public recognition for the security researcher (if requested) and if the report results in a public disclosure.
Where necessary, GE HealthCare may request a neutral third party to assist in resolution of the inquiry.
By submitting a request, you acknowledge that GE HealthCare may use in an unrestricted manner (and allow others to do the same) any data or information that you provide to GE HealthCare. Your submission does not grant you any rights under GE HealthCare intellectual property or create any obligations for GE HealthCare.