Coordinated Disclosure Process


Coordinated Disclosure Process

Protecting the confidentiality and integrity of patient data and Inmedix products and services is very important to us. If you believe you have identified a potential security vulnerability in an Inmedix product or service, please contact us utilizing the process below. We encourage you to work with us using this coordinated disclosure process to avoid early public disclosure that may put patient data or Inmedix products and services at unnecessary risk.

How To Contact Us

Please email [email protected] using our PGP public key to encrypt your message to protect sensitive information. Please provide submissions in English, if possible.

What Details To Provide

Please provide the following information with your submission:

  • Your contact information, including name(s), organization name, email address, and phone number, so we can follow up with you. We will not share your contact information outside of Inmedix without your permission.
  • Technical description of the concern or vulnerability including:
  • When, where, and how it was discovered.
  • Which products, devices, and systems that may be involved
  • Whether you were able to access any protected health information or other personally identifiable information about individual related to the product or system. Please do NOT include any protected health information or personally identifiable information about others in your submission.
  • Any other information you think may be helpful to us, including information about the tools used to perform the testing, proof-of-concept exploit code, or network traces.
  • Whether you have notified anyone else about the potential vulnerability, such as regulatory agencies, vendors, vulnerability coordination organizations, etc.

What Inmedix Will Do

  • Within five business days, Inmedix will confirm receipt of your submission and provide a contact for any follow up.
  • We will review the submitted information, investigate the potential vulnerability, and, if determined to be necessary, conduct a risk assessment to determine appropriate action. We may follow up with you for additional details.
  • Once we have completed our determination, we will follow up with you to provide a summary of our findings.
  • We may create a security bulletin for confirmed vulnerabilities, and may provide direct notification to our customers, post the security bulletin on this website, and disclose vulnerability details to information security coordination organizations such as H-ISAC.
  • We may publicly acknowledge your contribution, subject to consent.

Important Information

  • Please comply with all laws and regulations when performing your research, and avoid actions that could harm products or disrupt services, such as brute for testing, tests on devices in active use, tests on software in production testing, exploiting any vulnerability, or or actions that could result in a change to the product or service after testing has been conducted.
  • By submitted information, you agree that your submission will be governed by Inmedix’s Privacy Policy and Terms & Conditions. [links to corresponding pages]
  • We reserve the right to change any aspect of this coordinated disclosure process at any time without notice, and to make exceptions to the process for individual cases.