Vulnerability Disclosure Policy

In vitro diagnostics devices have become more connected and reliant on information technology than ever before, improving measurement, response and treatment times. However, this also makes medical devices more vulnerable to emerging cybersecurity threats and malicious hackers, which can jeopardise the security and safety of patients and operators or lead to the loss or disclosure of sensitive health data.

As a partner in your operation, we are committed to providing you optimal support for safeguards across your facilities. We are committed to provide our customers with the information they need on an on-demand basis.

Vulnerability Disclosure Policy

At Sysmex Asia Pacific, we value the confidentiality, integrity and accessibility of all protected health and personally identifiable information (e.g., PHI, PII). With the established Sysmex Global Information Security Regulation, we ensure all information we handle, including customer information, is protected from cybersecurity threats, disasters, and accidents.

The Sysmex Organisation is also compliant with all applicable federal and state privacy and security laws.

Cybersecurity readiness is important in Sysmex company culture. We actively participate and support national and international initiatives and associations to improve the security of medical devices and create new standards. We also implement administrative, technical, and physical safeguards at an early stage, i.e. during the design process, to further improve our medical device resiliency and prevent possible security incidents or privacy breaches.

With a Digital Transformation Strategy in mind, Sysmex established a global Product Security Policy in 2019 and created a dedicated security management framework under the supervision and management of a Senior Executive Officer and Senior Managing Director acting as Information Security Officer. Our global and regional Product Security Incident Response Team (PSIRT) supports product design and manufacturing, post-marketing vulnerability identification, analysis, and local incident response activities.

This vulnerability disclosure policy applies to any vulnerabilities you are considering reporting to us (“Sysmex Asia Pacific”) We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it. We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer any rewards of any kind for vulnerability disclosures.

If you believe you have found a security vulnerability, please submit your report to us through the Vulnerability Reporting Form.

The form shall allow the reporter to submit information for the followings:

1. Reporter Name
2. Reporter Email
3. Reporter Organisation (optional)
4. Subject of the report (Simple summary of the report)
5. The product name and model number
6. Functionality, configuration, website, IP address or page where the vulnerability can be observed.
7. A brief description of the type of vulnerability, for example; “XSS vulnerability”.
8. How did you find the vulnerability and steps to reproduce.
9. Attachment (related to the vulnerability, for example: screenshots of proof)

These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

After you have submitted your report, we will respond to your report within 7 working days and aim to triage your report within 21 working days. We’ll also aim to keep you informed of our progress.

Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status if we did not get back to you in 30 working days. This allows our teams to focus on the remediation.

We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

You must NOT:

  • Break any applicable law or regulations.
  • Access unnecessary, excessive or significant amounts of data.
  • Modify data in the Organisation’s systems or services.
  • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
  • Disrupt the Organisation’s services or systems.
  • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
  • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
  • Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
  • Social engineer, ‘phish’ or physically attack the Organisation’s staff or infrastructure.
  • Demand financial compensation in order to disclose any vulnerabilities.

 

You must:

  • Always comply with the Sysmex Privacy Policy stated in https://www.sysmex-ap.com/privacy/.
  • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first.

This policy is intended to set out our vulnerability disclosure practices. Notwithstanding any provision in this policy, the policy does not permit any individual or entity to perform any act or make any omission, in any manner which:

(i) is inconsistent with or breaches any applicable law; or

(ii) might cause us or our affiliates, partners and related corporations, to be in breach of any contractual obligations or applicable law

    The only acceptable file format is pdf extension, and max file size is around 15MB. Anything larger than that, the sender can send in alternate weblinks for external repository.

    Update on 1 December 2022:

    “We will continually publish information to help our customers identify, investigate and, if necessary, mitigate security vulnerabilities to their Sysmex products and services.”

    + Reporting

    If you believe you have found a security vulnerability, please submit your report to us through the Vulnerability Reporting Form.

    The form shall allow the reporter to submit information for the followings:

    1. Reporter Name
    2. Reporter Email
    3. Reporter Organisation (optional)
    4. Subject of the report (Simple summary of the report)
    5. The product name and model number
    6. Functionality, configuration, website, IP address or page where the vulnerability can be observed.
    7. A brief description of the type of vulnerability, for example; “XSS vulnerability”.
    8. How did you find the vulnerability and steps to reproduce.
    9. Attachment (related to the vulnerability, for example: screenshots of proof)

    These should be a benign, non-destructive, proof of concept. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as sub-domain takeovers.

    + What to expect

    After you have submitted your report, we will respond to your report within 7 working days and aim to triage your report within 21 working days. We’ll also aim to keep you informed of our progress.

    Priority for remediation is assessed by looking at the impact, severity and exploit complexity. Vulnerability reports might take some time to triage or address. You are welcome to enquire on the status if we did not get back to you in 30 working days. This allows our teams to focus on the remediation.

    We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately.

    Once your vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.

    + Guidance

    You must NOT:

    • Break any applicable law or regulations.
    • Access unnecessary, excessive or significant amounts of data.
    • Modify data in the Organisation’s systems or services.
    • Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
    • Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
    • Disrupt the Organisation’s services or systems.
    • Submit reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
    • Submit reports detailing TLS configuration weaknesses, for example “weak” cipher suite support or the presence of TLS1.0 support.
    • Communicate any vulnerabilities or associated details other than by means described in the published security.txt.
    • Social engineer, ‘phish’ or physically attack the Organisation’s staff or infrastructure.
    • Demand financial compensation in order to disclose any vulnerabilities.

     

    You must:

    • Always comply with the Sysmex Privacy Policy stated in https://www.sysmex-ap.com/privacy/.
    • Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first.
    + Legalities

    This policy is intended to set out our vulnerability disclosure practices. Notwithstanding any provision in this policy, the policy does not permit any individual or entity to perform any act or make any omission, in any manner which:

    (i) is inconsistent with or breaches any applicable law; or

    (ii) might cause us or our affiliates, partners and related corporations, to be in breach of any contractual obligations or applicable law

    + Vulnerability Reporting Form

      The only acceptable file format is pdf extension, and max file size is around 15MB. Anything larger than that, the sender can send in alternate weblinks for external repository.

      + Latest updates

      Update on 1 December 2022:

      “We will continually publish information to help our customers identify, investigate and, if necessary, mitigate security vulnerabilities to their Sysmex products and services.”