MED-EL Vulnerability Handling and Disclosure Policy

Introduction

MED-EL’s mission is to overcome hearing loss as a barrier to communication and quality of life. Providing secure products and services to our customers and protecting their data is a top priority for us. The scope of our commitment to security and data protection covers all stages, from product development to the investigation and resolution of identified issues.

We value the contribution of security researchers and other external groups (“Reporter”) who actively participate in identifying and reporting potential product security vulnerabilities in good faith to promote secure design practices without harming MED-EL or its customers.

If you have identified a potential security vulnerability with any of MED-EL’s products, we encourage you to report it by following this Policy and by making every effort to avoid privacy violations, destruction or manipulation of data, and interruption or degradation of our products and/or services during your research. Weaknesses in existing customer installations due to their individual designs or compromised access credentials are not considered a product vulnerability.

Authorization

When acting in a manner consistent with this Policy, we will consider your security research to be authorized, and will work with you to understand and resolve the issue quickly. In addition, MED-EL will not recommend or pursue legal action related to your research.

MED-EL cannot and do not authorize security research which involves the networks, systems, information, applications, products, or services of a third-party. The Reporter agrees to follow the third-party's bug bounty policy, if they have one, or to contact the third-party either directly or through a legal representative before initiating any security research on that third-party or their services. This information and any actions taken hereunder are not, and should not be understood as, any agreement on MED-EL part to defend, indemnify, or otherwise protect the Reporter from any third-party action based on Reporter’s actions.

Scope

Our coordinated vulnerability disclosure program is applicable to commercially available MED-EL products, including networked embedded devices, software, mobile applications, and services managed by MED-EL.

Vulnerabilities found in systems from our vendors are out of scope and should be reported directly to the vendor according to their disclosure policy (if any).

Non-product security issues with MED-EL website or IT infrastructure are out of scope, but can be reported to it-security[at]medel[.]com.

If you are not sure whether a product is in scope or not, please contact the MED-EL Product Security Incident Response Team (PSIRT) at ProductSecurity[at]medel[.]com before starting your research.

MED-EL PSIRT

The MED-EL PSIRT is a team of dedicated security professionals that receives, responds, and tracks product-related security vulnerabilities. The goal of the MED-EL PSIRT is to minimize customer risk associated with security vulnerabilities by providing timely information, guidance, and remediation of vulnerabilities in released MED-EL products.

All reports about potential weaknesses in connection with MED-EL products can be forwarded to the MED-EL PSIRT. The MED-EL PSIRT coordinates and maintains communication with all stakeholders involved, internal and external, to react appropriately to identified security issues. The MED-EL PSIRT coordinates the response and disclosure of all externally identified product vulnerabilities.

Reporting Pre-Requisites

The Reporters must adhere to the following pre-requisites at all times:

• Comply with all applicable laws and regulations of their location and the locations in which the MED-EL products are located.
• Do not use a vulnerability to take disproportionate action against MED-EL, any of its employees and customers, or any other entity or people (e.g., exploiting a vulnerability other than to prove its existence, deleting or modifying any data, using social engineering or brute force attacks to gain access to the system, etc.).
• Do not use an exploit to compromise or exfiltrate data, establish persistence, or pivot to other systems.
• Do not create a backdoor within the product.
• Do not engage in security research or testing of products where there is any impact to the safety or privacy of patients.
• Do not test products in a clinical environment or while being actively used by patients as it could cause a product to malfunction.
• Do not use a product on patients, or in a clinical environment, if the product has been subjected to security testing.
• Do not include sensitive information (e.g., personal data, protected health information, and proprietary information relating to, or associated with MED-EL products) in any documents submitted to MED-EL.
• Do not operate outside of the scope described in this Policy.
• Refrain from disclosing vulnerability details to the public before any mutually agreed-upon timeframe expires and without prior discussion with MED-EL.
• Purge any stored MED-EL non-public data after the vulnerability has been reported to MED-EL.
• Provide MED-EL with details of communication to regulatory organizations or other third parties about any discovered vulnerability as quickly as possible.

How to Report a Vulnerability

Please send potential security vulnerabilities discovered in MED-EL products to the MED-EL PSIRT at ProductSecurity[at]medel[.]com using our PGP public key. Reports may also be submitted anonymously. We accept vulnerability reports in English (preferred) or German.

When submitting a vulnerability report, please provide full details. This includes:

• The name, version, and configuration details (e.g., software, hardware) of the affected product. Model or product serial number, if available.
• A description of the vulnerability and the environment in which it was discovered.
• The potential impact of exploitation.
• Detailed steps to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability.
• Screenshots, code snippet, log files, or video to demonstrate proof of concept.
• Inform the MED-EL PSIRT whether or not you would like to be credited publicly with discovering the vulnerability if we publish a document addressing the vulnerability.

Please do not use this mechanism to report trivial system faults, such as typos or user interface errors not resulting in a vulnerability. If you need to report something else other than a vulnerability, please navigate to Contact Us.

What You Can Expect from Us

The process of handling vulnerability reports consists of the four steps.