CyberMed
ServicesSoftware DHFCyberSprintEventsResourcesGuideAboutContactBook a CallGet The Guide
← All guide chapters

Chapter 5: Post-Market Security Management · Section 5.6

Coordinated Vulnerability Disclosure

5.6.1 Understanding CVD

Coordinated Vulnerability Disclosure (CVD) is the process of working with security researchers who find vulnerabilities. FDA references ISO 29147:2018 and ISO 30111:2013 as standards for CVD.

Why CVD Matters

Benefits:

  • Find vulnerabilities before attackers
  • Build researcher relationships
  • Demonstrate security maturity
  • Improve products

Without CVD:

  • Researchers go public immediately
  • No time to develop patches
  • Surprised by disclosures
  • Reputation damage

5.6.2 Setting Up Your CVD Program

Essential Elements

Clear Reporting Channel:

security@manufacturer.com
https://manufacturer.com/security
PGP key for encrypted reports

Published Policy:

  • Scope (what products)
  • Process (what happens)
  • Timeline (response times)
  • Recognition (acknowledgments)

Example CVD Policy Structure:

# Coordinated Vulnerability Disclosure Policy

## Scope
This policy applies to all [Manufacturer] medical devices 
and associated software.

## Reporting
Email: security@manufacturer.com
PGP: [Key fingerprint]
Web: https://manufacturer.com/report-vulnerability

## Our Commitment
- Acknowledge receipt within 5 business days
- Provide severity assessment within 10 days
- Regular updates on progress
- Coordinate disclosure timing

## Recognition
- Public acknowledgment (with permission)
- Inclusion in security advisories
- Good faith commitment

## Out of Scope
- Physical attacks requiring device modification
- Social engineering of our staff
- Denial of service attacks

5.6.3 Managing Researcher Relationships

Initial Response Template:

Subject: Re: Vulnerability Report - [Device Name]

Thank you for your vulnerability report dated [date].

We confirm receipt and are beginning our assessment.

Tracking number: VULN-2024-001
Expected initial assessment: [date + 10 days]

We'll provide regular updates on our progress.

Best regards,
[Product Security Team]

Relationship Best Practices:

  • Respond promptly
  • Be professional
  • Show appreciation
  • Keep promises
  • Give credit

5.6.4 Disclosure Timeline Negotiation

Work with researchers on disclosure timing:

Standard Timeline:

  • 0 days: Report received
  • 5 days: Acknowledgment
  • 10 days: Initial assessment
  • 30-120 days: Patch development
  • X days: Coordinated disclosure

Factors Affecting Timeline:

  • Vulnerability severity
  • Exploit complexity
  • Patch difficulty
  • Deployment challenges
  • Patient risk

See how your device measures up

Take the free FDA 524B readiness assessment and get a personalized gap report covering this topic and more.

Check Your Readiness