If you submit findings, please follow the procedures below so that we can respond in a safe and timely manner. These procedures outline how to get in touch with us, how we will respond and some important things to consider.
Please send a PGP-encrypted email to email@example.com and provide as much information as possible including:
the steps to reproduce the issue;
screenshots, logs or code used; and
your contact details, so we can contact you should we require more information to confirm the report.
Download our public PGP key here
Fisher & Paykel Healthcare will:
contact you to acknowledge the request and may ask for additional information;
verify the vulnerability, and coordinate with relevant parties;
develop a plan to remediate the vulnerability if required;
communicate with you regarding disclosure; and
make every effort to respond to enquiries within 10 business days.
Please refrain from including sensitive information, such as patient information, in any screen shots or other attachments you provide to us.
Do not perform any vulnerability or similar testing that seeks to disrupt products that are actively in use.
Do not take advantage of the vulnerability or problem you have discovered.
Do not attempt social engineering or phishing exercises.
After vulnerability testing, each device should be retested to ensure no damage has been inflicted and the device is suitable for use.
Do not prematurely disclose findings. As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with us to minimize the possibility of public safety, privacy and security risks.
We will recognise and provide credit to any researcher who discovers a verifiable vulnerability if requested.
If you have any concerns related to privacy or data, or need to inform us of a privacy incident, please send an email directly to firstname.lastname@example.org so we can take action immediately.