Fisher & Paykel Healthcare Vulnerability Disclosure

At Fisher & Paykel Healthcare, we support coordinated vulnerability disclosure, which means reporting any security flaws discovered in our computer software, hardware or data systems. We welcome vulnerability testing by security researchers and customers and encourage you to report any vulnerability findings to us.

 

If you submit findings, please follow the procedures below so that we can respond in a safe and timely manner. These procedures outline how to get in touch with us, how we will respond and some important things to consider.

 

Getting in touch

Please send a PGP-encrypted email to securityreports@fphcare.com and provide as much information as possible including:

  • the steps to reproduce the issue;

  • screenshots, logs or code used; and

  • your contact details, so we can contact you should we require more information to confirm the report.

 

Download our public PGP key here

 

What happens next?

Fisher & Paykel Healthcare will:

  • contact you to acknowledge the request and may ask for additional information;

  • verify the vulnerability, and coordinate with relevant parties;

  • develop a plan to remediate the vulnerability if required;

  • communicate with you regarding disclosure; and

  • make every effort to respond to enquiries within 10 business days.

 

Important points to note

  • Please refrain from including sensitive information, such as patient information, in any screen shots or other attachments you provide to us.

  • Do not perform any vulnerability or similar testing that seeks to disrupt products that are actively in use.

  • Do not take advantage of the vulnerability or problem you have discovered.

  • Do not attempt social engineering or phishing exercises.

  • After vulnerability testing, each device should be retested to ensure no damage has been inflicted and the device is suitable for use.

  • Do not prematurely disclose findings. As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with us to minimize the possibility of public safety, privacy and security risks.

We will recognise and provide credit to any researcher who discovers a verifiable vulnerability if requested.

 

Privacy Concerns

If you have any concerns related to privacy or data, or need to inform us of a privacy incident, please send an email directly to privacy@fphcare.com so we can take action immediately.