Inhalt überspringen
Navigation öffnen

Vulnerability disclosure

The vulnerability disclosure reference revision 1.0 and be dated 27.01.2025

1. Purpose
 
 At Laerdal we prioritize the security of our products and systems. This Vulnerability Disclosure Policy (VDP) provides a transparent, legal, and standardized process for security researchers and the public to report Laerdal security vulnerabilities responsibly and describes what systems and types of research are covered under this VDP. The VDP also outlines Laerdal commitment to communicate vulnerability resolutions to affected users and customers as well as providing researchers a comfortable reporting environment for vulnerabilities they have discovered, so we can fix them, and keep Laerdal users safe. 
 
 2. Scope
 
 This VDP applies to vulnerabilities identified in:
 
 i)      All publicly accessible websites, applications, APIs, or embedded systems owned
         or  operated by Laerdal.  
 ii)     Any mobile or desktop software developed by Laerdal. 

   Exclusions (optional):
 
 i)     Vulnerabilities related to third-party services or applications not controlled by Laerdal
        that are  not expressly listed above such as any connected services. 
 ii)    Physical security issues. 

3. Our Commitment

 We will:
 
i)     Acknowledge receipt of vulnerability reports promptly  . 
ii)    Investigate the issue and communicate with the reporter throughout the process. 
iii)   Strive to resolve valid vulnerabilities within a reasonable timeframe. 
iv)   Inform affected users and customers about vulnerabilities and security updates promptly
       and responsibly (see Section 8). 
v)    Credit researchers publicly, if desired, after the vulnerability is resolved. 

4. Guidelines for Reporting Vulnerabilities
 
i)    To help Laerdal handle your report effectively, please: 
ii)    Report the issue to Laerdal promptly and avoid public disclosure until it is resolved. 
iii)   Provide detailed information about the vulnerability, including steps to reproduce it, affected           systems, and potential impact. 
iv)    Do not exploit the vulnerability beyond what is necessary to demonstrate its existence,                   compromise or exfiltrate data, establish command line access and/or persistence, or
        use  the exploit to "pivot" to other systems. 
        Make every effort to avoid: 
              i)  Privacy violations. 
              ii)  Data destruction or unauthorized access to other users' data. 
              iii) Disruption of services, especially Denial of Service (DoS) attacks. 
v)     Should you have established that a vulnerability exists or encountered any sensitive data              (including but not limited to financial information, trade secrets or personally identifiable                   information), you must stop the test, notify Laerdal immediately, and not disclose this
         data to anyone else. 
vi)     Provide Laerdal with a reasonable amount of time to resolve the issue before you
         disclose it publicly. 

5. Reporting Process
 
     1. Submit the Report:
          Please report vulnerabilities and send Laerdal your questions via our dedicated                              vulnerability reporting email: [email protected], or through Laerdal customer                    feedback process:Customer Care | Laerdal Medical
      2. Include the Following Information:
          i)    Description of the vulnerability and the potential impact of exploitation.
          ii)   Steps to reproduce.
          iii)  Relevant system, application, or URL where the vulnerability exists.
          iv)  Any supporting evidence (e.g., screenshots, logs).
      3. Await Confirmation:
          Once received, Laerdal will acknowledge your report promptly and provide you with
          a case number for tracking.   
      4. Coordinate Remediation:
           Laerdal may request additional information to help verify and mitigate the issue and
           ask for your cooperation during this process.

6. Legal Safe Harbor
 
 Laerdal pledge that if you, as a security researcher, follow the guidelines of this VDP in good faith:
 i)  Laerdal will not initiate legal action against you. 
ii)   We will consider your report as part of our vulnerability disclosure process. 


However, please note that any activity outside the guidelines (e.g., exploiting data or causing service disruptions) may violate applicable laws, and Laerdal Medical reserves the right to pursue legal action in such cases.
 
7. Out of Scope Vulnerabilities
 
 The following types of issues are considered out-of-scope for this VDP:
 
i)    Reports based on outdated software or browser versions. 
ii)   Security issues without a direct or meaningful security impact. 
iii)  Clickjacking on pages without sensitive functionality. 
iv)  Denial of Service (DoS) attacks. 
v)   If there is a system not in scope that you think merits testing, please contact us to discuss
      it first. We are committed to increasing the scope of this VDP and our work of reducing our              vulnerabilities.

8. Communication to Users and Customers
 
As part of Laerdals commitment to transparency and responsible disclosure, Laerdal will communicate with affected users and customers regarding vulnerabilities and security updates in a timely and clear manner.

We will follow these steps:
 
      1. Assessment of Impact:
          After verifying the vulnerability, we will assess the potential impact on our users and                      customers. If personal data or critical system functions are at risk, communication will be              prioritized.
       2. Timely Notification:
           Once the vulnerability has been identified and mitigated, Laerdal will:
           i)   Notify affected users and customers within a reasonable timeframe.
           ii)  Clearly explain the nature of the vulnerability, the risks involved, and the actions taken                    to resolve the issue.
          iii)  Provide steps for users to protect themselves (e.g., updating software, changing                           passwords).
      3. Communication Channels:
           i)   Email notifications for urgent vulnerabilities.
           ii)  In-app or system notifications where applicable.
           iii) Public security advisories published on our website.
      4. Transparency and Disclosure:
          For severe vulnerabilities, Laerdal may publish a security update blog or advisory,
          detailing the issue, its resolution, and any recommendations for users.   
      5. Post-Mitigation Communication:
          After the vulnerability is resolved, a follow-up communication will be sent, including:
          i)   Information about the resolution.
          ii)  Confirmation of any necessary actions users or customers should take.
         Laerdal believe that transparent communication builds trust and helps protect the                           community from potential security risks.
 

9. Recognition and Rewards (Optional)
 
Laerdal highly value the efforts of the security community.
Based on the severity of the vulnerability and its impact on our systems, Laerdal may offer:
i)  Public recognition of your contribution. 
     

10. Program Updates
 
 Laerdal reserve the right to modify the terms of this VDP at any time.
Updates to the VDP will be published on Laerdal website, and any changes will take effect immediately.