Responsible Disclosure

At Nedap Healthcare, the security of our systems is the top priority. Despite the effort we put into the security of our systems, there might still be vulnerabilities present. We recognize that we cannot find all bugs ourselves, and that security researchers and our community play an important role in keeping our systems safe.

We have adopted a Responsible Disclosure Programme as described below, to encourage everybody to report potential security vulnerabilities. If you discover such a vulnerability, we would like to know about it and we would like to ask your help so we can take steps to address it.

In scope

All vulnerabilities concerning the safety of applications, including mobile applications provided by Nedap Healthcare over the internet are in scope.

What to report

Vulnerabilities concerning the safety of Nedap Healthcare’s services offered through the internet. Examples of such vulnerabilities can include:

• Cross-site scripting (XSS) vulnerabilities
• SQL injection vulnerabilities
• Security misconfiguration
• Sensitive data exposure

 

Out of Scope

Out of scope are all domains that are not related to Nedap Healthcare. Nedap N.V. has several business units, Healthcare is one of them. In this programme we solely focus on the issues for the Healthcare business unit. (For all business units, see https://nedap.com/business-units/)

What not to report

We will not accept any trivial issues, or vulnerabilities that cannot be exploited. The responsible disclosure is meant for issues that can immediately be exploited. Any out of scope issues that cannot be directly exploited will be marked as info, and may not be responded to as quickly.

Some examples of issues that will NOT be accepted are:

• HTTP 404 codes, or any non-200 codes
• Fingerprinting on public services
• Public files, or files with harmless information (i.e. robots.txt)
• Clickjacking-related issues
• SPF, DKIM or DMARC issues
• Reports about old software versions without a POC for a working concept
• Issues related to the use of old browser versions

The responsible disclosure contact cannot be used as a way to get in touch with Nedap Healthcare for reports like:

• Questions or complaints about availability
• Questions or complaints about Nedap Healthcare’s services or products
• Fake e-mails or phishing e-mails

 

Guidelines for security research

Do not reveal any found vulnerability or problem to others until it is resolved.

Do’s

• Do report the vulnerability as quickly as is reasonably possible, to minimise the risk of hostile actors finding it and taking advantage of it.
• Do report in a manner that safeguards the confidentiality of the report so that others do not gain access to the information.
• Provide sufficient information to reproduce the problem, so we will be able to resolve it. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient. However, complex vulnerabilities may require further explanation.

 

Don’ts

Do not engage in security research that involves:

• Potential or actual damage to
  – Users
  – Systems
  – Data
  – Applications
• Creating your own backdoor in an information system, even with the intention of then using it to demonstrate the vulnerability.
• Utilising a vulnerability further than necessary for establishing its existence.
• Copying, modifying and/or deleting data on the system. An alternative is to make a directory listing of the system
• Making changes to the system.
• Repeatedly gaining access to the system, or sharing access with others.
• Brute force attacks, social engineering, DDoS attacks, spam or attacks on physical security.
• The use of third parties to gain access to the system.
• Disruption of our online services.

 

What we promise

• By investigating our systems, it might be that you act prosecutable. In case you act with good faith and act in accordance to the mentioned rules, there will not be any inducement to report your action. Therefore, follow the rules of this responsible disclosure.
• Our goal is to respond to your report within one week, with our evaluation and timeframe for fixing the issue.
• We will not pass on your personal details to third parties without your permission, unless it is necessary to comply with a legal obligation. Reporting under a pseudonym or anonymously is possible.
• We will keep you informed of the progress towards resolving the problem.

We strive to resolve all problems as quickly as possible, and we are happy to play an active role in a publication on the problem after it is resolved.

Reporting

Submit your findings by using this Responsible Disclosure form. We can only process reported vulnerabilities that are reported in Dutch or English.

Rewards

Depending on the severity and in case your reported vulnerability is solved or led to a change in our services, you will be eligible for a reward. To be eligible for a reward, you must be the first person that to report the vulnerability.

More info

With regard to reporting vulnerabilities in IT-systems, the National Cyber Security Centre of the Ministry of Security and Justice in The Netherlands has made up guidelines. Nedap Healthcare’s guidelines are based upon those. In case you want to learn more about these guidelines, visit https://www.ncsc.nl.