Menu
Security Rewards
Menu

SetPoint Medical Cybersecurity

SetPoint Medical is committed to ensuring our medical devices and systems are safe from vulnerabilities that would impact the integrity of our products or the privacy of our patients and customers. SetPoint Medical employs Secure by Design and Secure by Default principles in all its development efforts and has made cybersecurity an integral part of its Quality Management System.

As the cybersecurity landscape is constantly evolving and cyberattacks are consistently becoming more sophisticated, SetPoint Medical recognizes the need to stay vigilant and adaptable to ensure our systems and devices remain secure. We proactively monitor our devices and systems for new vulnerabilities and are committed to providing an expedient response and remediation should new threats be discovered.

SetPoint Medical is committed to providing a transparent view into our security systems so patients and healthcare providers can be confident their use of SetPoint Medical devices is always safe and secure in all environments. An up-to-date description of our security systems may be found in our Cybersecurity Technical Guide.

Vulnerability Disclosure Program

Scope

SetPoint Medical is committed to working collaboratively with the security research community to ensure timely and responsible disclosure and remediation of newly-discovered cybersecurity threats. This coordinated vulnerability disclosure program provides direct access to SetPoint Medical’s cybersecurity experts.

This program is not intended to provide technical support information or be a platform for reporting Adverse Events or Product Quality Complaints. Please contact SetPoint Medical Customer Support for any of these types of reports or questions.

How to Report A Security Vulnerability

If you believe you have discovered a potential security vulnerability or privacy issue with SetPoint Medical products or systems, please contact us by sending an email to [email protected]. We strongly encourage that all correspondence to our security teams be encrypted by utilizing our PGP Public Key.

What to Include in a Report

Please include any of the following details that are available in your report.

  • Contact Information
    • Name
    • Organization name
    • Email address
    • Phone number
  • Vulnerability Technical Description
    • When, where, and how the vulnerability was discovered
    • What products/devices/systems the vulnerability is thought to impact
    • Steps to reproduce the vulnerability
    • Any specific environment, tools, or network configurations needed to reproduce the vulnerability
    • Proof-of-exploit code
    • Any additional details that you believe will be helpful for SetPoint Medical to identify root cause of the vulnerability
  • Disclosure information
    • Your plans for public disclosure
    • Whether the vulnerability has been communicated with anyone else (including other companies or regulatory agencies)
    • Whether you would like public recognition if the vulnerability is verified and an advisory is published

Please do NOT include any of the following information in your report. If any of the following contents are part of a vulnerability, describe that the content may be compromised but do not include the actual data in your report.

  • Data that contains sensitive information (e.g., patient health information or personally identifiable details or individuals other than the reporter)
  • Keys or authorization tokens

What to Expect after a Report

After your report, you can expect the following events to occur. SetPoint Medical will strive to be as transparent as possible about its investigation efforts and remediation timelines.

  • SetPoint Medical will confirm we have received your submission as soon as possible – this will occur within no more than 7 calendar days.
  • We will provide you with the contact information of a vulnerability coordinator for ongoing communication.
  • SetPoint Medical’s cybersecurity team will begin an investigation on the report.
  • Should the vulnerability be discovered to be valid and new, SetPoint Medical will immediately perform a risk analysis and develop a remediation plan.
  • SetPoint Medical’s cybersecurity experts may want to follow up with you to better understand your discovery.
  • SetPoint Medical will follow up with you with the determinations of their investigation.
  • If a report is determined to be a new or ongoing vulnerability, SetPoint Medical may discuss the following with the reporter:
    • Whether the reporter would like to be publicly acknowledged for their discovery
    • Expected timeline for remediation plans to be developed and deployed
    • The reporter’s agenda for publication
    • SetPoint Medical’s agenda for publishing a security bulletin or advisory
    • A mutually agreeable embargo period for public disclosure

Good Faith Reporting

SetPoint Medical asks that all security research and vulnerability reports be performed in good faith. We believe good faith efforts adhere to the following guidelines.

  • The research does not cause harm to people or in-use devices – this includes activities that may result in denying access to service (e.g., brute force testing)
  • The research does not attempt to access user information other than the researcher’s own information
  • The research is never performed on devices that are actively in use, or will eventually be used, by patients or healthcare providers
  • Findings are reported to SetPoint Medical and reasonable time is allowed for remediation prior to public disclosure

Legal Considerations

SetPoint Medical asks that you comply with all applicable laws and regulations when conducting your research. We assure researchers that we will not pursue legal action against individuals who discover and report vulnerabilities in good faith and compliance with this policy. If you have identified a cybersecurity vulnerability and prefer to disclose the matter directly to a regulatory agency rather than SetPoint Medical, please contact the appropriate regulatory agency.

By submitting information to SetPoint Medical through this process, you are agreeing that the information you submit is to be considered non-proprietary and non-confidential such that SetPoint Medical is allowed to use the information in any manner, in whole or in part, without restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for SetPoint Medical.

SetPoint Medical reserves the right to change any aspect of this coordinated disclosure process at any time without notice, and to make exceptions to it on a case-by-case basis.

Recognition and Rewards

SetPoint Medical values the contributions of security researchers. In addition to public acknowledgement, we may offer other forms of recognition or rewards, such as monetary rewards, swag, or other incentives, for valuable contributions. Details of our recognition program can be found on our Vulnerability Disclosure Recognition and Rewards Page.