Product Security
At Francis Medical, we are committed to the security, safety, and effectiveness of our medical products. While our current product offerings do not include network-connected components, we recognize the importance of addressing potential vulnerabilities across the full range of device software and interfaces. We welcome and encourage responsible disclosure of any potential cybersecurity vulnerabilities related to our products or product-supporting software.
This Coordinated Vulnerability Disclosure (CVD) Policy outlines how researchers, customers, and partners can report potential vulnerabilities and how we will work with you to address them.
Scope
This policy applies to:
- Francis Medical’s medical devices and any software embedded in or distributed with those devices.
- Software applications or local user interfaces used to operate or support Francis Medical products.
This policy does not apply to:
- Corporate IT systems (website, email systems, etc.).
- Third-party components not maintained by Francis Medical.
This policy is not meant for technical support information on Francis Medical products or for reporting Adverse Events or Product Quality Complaints. For these other matters please Francis Medical support at the following email:
- Support, Complaints, Adverse Events: Customerservice@francismedical.com
Our Commitment
If you report a potential vulnerability in scope:
- We will acknowledge your report within 10 business days.
- We will investigate the issue and provide progress updates within every 30 day interval starting from the acknowledgement date.
- We will coordinate remediation and disclosure where applicable.
- We will not pursue legal action against you if you adhere to this policy.
How to Report a Vulnerability
If you believe you have discovered a potential security vulnerability in a Francis Medical product or system, please contact us in English at: product-security@francismedical.com
Please include the following in your report:
- Product name, version number, and configuration details.
- Description of the potential vulnerability and environment it was discovered.
- Steps to reproduce or demonstrate the issue.
- Any supporting artifacts (screenshots, logs, proof-of-concept code, evidence of exploitation).
- Prior or intended disclosure of vulnerability information to other parties (e.g. regulators, vulnerability coordinators, vendors
- Your contact information.
Please do not include any personal information, such as sensitive/health information.
Expectations for Researchers
To help us protect patient safety and product integrity:
- Avoid testing methods that could disrupt patient treatment or system availability.
- Do not attempt to access or modify patient data.
- Do not exploit the vulnerability beyond what is necessary to demonstrate it.
- Provide Francis Medical with reasonable time to investigate and address the issue before disclosing it publicly.
- Avoid actions that could make changes to a product or system after the test is completed
- Comply with all applicable laws.
- Francis Medical takes cybersecurity very seriously and we will investigate promptly. Please expect check-ins from us every 30 days or less.
WHAT Francis Medical WILL DO
- Within 10 business days, Francis Medical will confirm we have received your submission and give you the name of a contact person.
- We will notify the appropriate security engineers who may want to follow up with you to better understand what you’ve found, or to confirm technical details.
- We will investigate the potential vulnerability.
- We will conduct a risk analysis to determine appropriate action.
- Once determined, we will provide you with a summary of our findings.
- If we determine the issue warrants disclosure, we will publish notification on this page, and we will report it to the appropriate external parties such as Cyber Emergency Response Teams (CERTs) and Information Sharing and Analysis Organizations (ISAOs).
- We may publicly acknowledge your contribution to improve the security of our products and services, subject to your agreement.
Safe Harbor
We consider activities conducted in good faith and in compliance with this policy to be authorized. We will not initiate legal action against researchers who adhere to this policy and act in good faith.
If you are unsure whether your activities fall within this policy, please contact us before proceeding.
Disclaimer
By submitting information through this process, you agree your submission will be considered non-proprietary and non-confidential, and that Francis Medical is allowed to use the information in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights for you or any obligations for Francis Medical
Continuous Improvement
Our CVD process supports Francis Medical’s commitment to proactive cybersecurity management and is part of our overall post market surveillance program. Francis Medical will periodically review and update this CVD policy as our products and cybersecurity practices evolve. We reserve the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case-by-case basis.
Federal law (USA) restricts this device to sale by or on the order of a physician.
Refer to the device User Manual for a list of contraindications, warnings, and cautions.
Training: Do not operate the Vanquish System without completing Francis Medical-provided physician training. Untrained operation of the device may lead to improper use. Improper use can result in patient injury or equipment malfunction.