Coordinated Vulnerability Disclosure (CVD)

Scope

This CVD process applies to the reporting of potential cybersecurity vulnerabilities in DESKi products and services.

The CVD process is not intended to provide technical support on our products or for reporting Adverse Events or Quality Complaints.

Scope

Security researchers must comply with the following prerequisites at all times:

  • Ensure that actions do not put patient safety at risk
  • Comply with all applicable laws and regulations of your location and the location in which the DESKi product is located
  • Obtain written permission from product owner before beginning security testing
  • Do not disclose the vulnerability details publicly before a mutually agreed timeframe with DESKi
  • Products must be returned to their original state before use in a clinical environment
  • Reports written in English, if possible

Reporting procedure

Coordinated Vulnerability Disclosure Reports shall be submitted via email to: security@deski.ai.

Please use email encryption with our public PGP key.

We ask that you please refrain from including sensitive information (e.g., sample information, PHI, PII, etc.) as a part of any submissions to DESKi. Please provide the following information in your submission:

  • Your contact information (e.g., name, address, phone number)
  • Date and method of discovery
  • Description of potential vulnerability
  • Product name
  • Version number
  • Configuration details
  • Steps to reproduce
  • Tools and methods
  • Exploitation code
  • Privileges required
  • Results or impact

What Happens Next

Upon receipt of a potential product vulnerability submission, DESKi will:

  • Acknowledge receipt of the submission within two (2) business days
  • Investigate the potential vulnerability
  • Conduct risk analysis to determine appropriate action
  • Contact the submitter to request additional information, if needed
  • Provide the submitter a summary of the findings throughout process

Notice

In the event, you decide to share any information with DESKi, you agree that the information you submit will be considered as non-proprietary and non-confidential and that DESKi is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for DESKi.