LivaNova Coordinated Vulnerability Disclosure (CVD) Statement
Last updated: Oct 9, 2023
LivaNova values and encourages responsible reporting of potential vulnerabilities identified by security researchers and customers. If you have identified a potential security vulnerability, you can submit a report of your findings according to the process outlined in this CVD Statement.
Scope of the CVD Program
LivaNova’s vulnerability disclosure program covers our medical devices, supporting software, web services and mobile applications. This program is not for product technical support or quality complaints; instead, please contact LivaNova Customer Quality or Clinical Technical Services. This program also does not cover LivaNova websites and other enterprise assets.
How to submit a vulnerability report
Please prepare a vulnerability report with the following information:
Note that all information submitted to LivaNova must be encrypted with our PGP key. Please provide the report in English whenever possible.
1. A technical description of the vulnerability, including:
- The suspected vulnerability.
- The potentially affected product(s), service(s) or application(s), including name and version number, the technical infrastructure used, including operating system and version, and other related information such as network configuration details.
- For web-based services, the date and time of testing, URLs, browser type and version, and the input provided to the application.
- Reproducible steps regarding the suspected vulnerability, to facilitate analysis or investigation of the report.
2. Any additional information that may be relevant, including:
- The tools used to conduct the testing and the test configurations. If you used specific proof-of-concept or exploit code, please provide a copy.
- Whether you identified specific vulnerability threats, assessed the risk, or have seen the vulnerability being exploited.
3. Whether you notified any vulnerability coordinators (such as ICS-CERT, CERT/CC), including the agency and any tracking number.
4. Your contact information, including your name, organization and email address.
Email the vulnerability report to LivaNova at productsecurity@LivaNova.com using our PGP public key to encrypt your message. Our public key can be found on PGP public key server (keys.openpgp.org) using the fingerprint 6F4ACC4871FE987AC58D5427D928D3B2EA1C7B40.
Submit only one vulnerability per report, unless you need to connect vulnerabilities to demonstrate their impact.
What you can expect from us
1. LivaNova will acknowledge receipt of your report within 5-7 business days.
2. We will take steps to review and investigate the report, as appropriate, and contact you if additional information is required.
3. If the vulnerability is in a third-party component, we will refer your report to the third party and advise you of that notification. You should work directly with the third party regarding any further status or actions related to your report. We cannot and do not authorize security research involving other entities.
4. We will provide you with a summary of our findings related to your report.
5. If the report results in a public disclosure by LivaNova, we can publicly acknowledge the researcher(s) who made the relevant vulnerability report, if you would like to be acknowledged. LivaNova will determine, in its sole discretion, whether public recognition for resolved vulnerabilities will be provided. In so doing, we will take into consideration, among other factors, whether you complied with this Statement and the contribution to product security.
What we expect from you
When conducting vulnerability testing and reporting potential security vulnerabilities to LivaNova, we request that you:
2. Do not engage in testing which may impact customers’ or patients’ privacy or safety or patient care.
3. Do not include sensitive information, personally identifiable information or protected health information in your report or supporting documentation.
4. Cooperate with LivaNova regarding the release of information, to comply with regulatory requirements and minimize risks to patient safety and privacy.
In particular, please adhere to the following guidelines when performing vulnerability testing:
1. Do not perform any testing on products actively used in patient care.
2. Do not attempt to gain physical access to any of our facilities.
3. For web-based products, use demo/test environments.
4. Do not take advantage of the potential vulnerability or utilize a vulnerability or repeatedly access the system beyond what is necessary to identify the potential vulnerabilities. For example, do not download more data than is necessary to demonstrate the vulnerability or delete or modify data.
5. Do not damage or alter product or system functionality, make any changes to the system, or build a backdoor in the system in order to demonstrate the vulnerability.
6. Do not use brute force attacks or social engineering to gain access to the system, or share your access with third parties.
If you share any information with LivaNova, you agree that LivaNova is allowed to use such information in any manner, in whole or in part, without any restriction, and the information will be considered as non-confidential and non-proprietary to you. You also agree that submitting information does not create any rights for you or any obligation for LivaNova.