1. Refrain from including sensitive information, e.g. patient information, in any screen shots or other attachments you provide to us.
2. Do not perform any vulnerability or similar testing on products that are actively in use. Vulnerability testing should only be performed on devices or systems not currently in use or not intended for use.
3. For Healthcare products, never perform any vulnerability or similar testing on products that are actively in use in patient care, patient diagnosis or patient monitoring.
4. For web based products, please use demo/test environments to perform vulnerability testing.
5. Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data.
6. After vulnerability testing, each device should be retested to ensure no damage has been inflicted and the device is suitable for use. Contact your service provider prior to the device being placed back into use.
7. As part of responsible co-ordination of vulnerability disclosure, we encourage you to work with Philips on selecting public release dates for information on discovered vulnerabilities. To minimize the possibility of public safety, privacy and security risks, we request your cooperation in synchronizing the release of information. Please inform us of your disclosure plans, if any, prior to public disclosure.
8. The discloser’s actions must not be disproportionate, such as:
a) Using social engineering to gain access to the system.
b) Building his or her own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damage and create unnecessary security risks.
c) Utilizing a vulnerability further than necessary to establish its existence.
d) Copying, modifying or deleting data on the system. An alternative for doing so is making a directory listing of the system.
e) Making changes to the system.
f) Repeatedly gaining access to the system or sharing access with others.
g) Using brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.
9. Philips will provide full credit to researchers who make a vulnerability report or perform testing, in publicly released patch or security fix release information, if requested.
Visit our Hall of Honors ›