Qlucore Vulnerability Disclosure Policy

1. Vulnerability Disclosure Policy

Qlucore is committed to ensuring the safety and security of all products developed within In-Vitro Diagnostics. Qlucore strives to protect the integrity, privacy, and security of all our customers, users, and patients via our development process. However, we welcome invaluable contributions from security researchers or other users.

Qlucore maintains a security page to ensure an efficient process for reporting and handling any security vulnerabilities.

1.1. Policy Scope

All supported products and services by Qlucore. The aim at Qlucore is to reduce risk to patient safety and security by any discovered vulnerability.

1.2. Reporting Procedure

Instructions to submit a report.

1. Submit a report, preferably in English to csirt@qlucore.com.

2. Please Use our PGP public key to encrypt any email submissions.

3. Provide us with your reference/advisory number and sufficient contact information, such as contact name and organization.

4. Provide a detailed technical description of the concern or vulnerability.

a. Information on specific product tested (name and version); infrastructure used; operating systems and version; and any other relevant information.

b. For web-based services, provide the date and time of testing, the browser details, the URLs, any input provided to the application.

c. To help verify the issue, any additional information including tools used to test, testing configurations. Any proof-of-concept code (clearly marked and encrypted with PGP key).

d. If you have identified specific threats, assessed risk or have evidence that vulnerability is being exploited.

5. If you communicate vulnerability information to vulnerability coordinators such as ICS-CERT, CERT/CC, NCSC or other parties, please advise us and provide their tracking number, if available.

1.3. Report Assessment and Action

Once a report has been received, Qlucore will:

1. Acknowledge receipt within 3 business days.

2. Provide a unique tracking number.

3. Perform an initial assessment as per internal procedures.

4. Request additional information, if necessary.

5. If the vulnerability is in a third-party component which is part of our product, we will refer the report to that third party and advise you of that notification. With your consent, share your contact information with the third-party.

6. Upon verifying the reported vulnerability:

a. Work on a resolution,

b. Perform QA/validation on the resolution,

c. Release the resolution.

7. If requested, provide recognition to the reporter, if the report results in a publicly released fix or communication

1.4. Important Additional Information

1. Avoid including sensitive information, e.g., patient information in screenshots or other attachments.

2. Comply with all applicable laws and regulations.

3. Do not perform testing on products that are actively in use. Vulnerability testing should only be performed on devices that are currently not in use, i.e., not actively being used for patient care, diagnostics, or monitoring.

4. Do not take advantage of the vulnerability or any issue you have discovered, e.g., downloading more data than necessary to demonstrate the issue.

5. Please give us an opportunity to fix the reported vulnerability before going public with it. We request you to work together with Qlucore on selecting public release dates for information on discovered vulnerabilities to reduce the possibility of safety and security risks.

6. Do not use social engineering to gain access to the system.

1.5. Legal Consideration

Qlucore will not pursue legal action against those who act in good faith and in compliance with the instructions and guideline described here, along with applicable laws.