CVRx Cybersecurity Vulnerability Disclosure Process

Security researchers that identify a cybersecurity vulnerability in a CVRx product or network can send a secure e-mail to [email protected] using the CVRx PGP Public Key to report the vulnerability or complete this form to provide the following information.

Details to Provide

• Your contact information, including name(s), organization name, email address and phone number so we can follow up with you.
• Sufficient information about the findings so that they can be reproduced, including products/devices/systems it is impacting.
• Details of what information was accessed.
• Additional information to assist us in understanding the environment and tools used to conduct the testing.

What CVRx Will Do

• Acknowledge the information provided within 1 week.
• Respond in a timely and constructive manner.
• Provide a transparent process.
• Perform an objective assessment of the vulnerability and the risks associated with it using industry recognized analysis processes.
• Communicate a summary of our findings.
• If our findings diverge from those of the Reporter, we will present our reasoning and participate in a constructive dialogue.

What We Ask of You

• We ask that you comply with all laws and regulations when conducting your research, and avoid actions that could harm products or people, such as brute force testing, tests on active devices, tests on software in production settings, actions taken to exploit any vulnerability, and actions that result in a change to a product or system after the test is conducted.
• We ask that you keep the vulnerability confidential to CVRx only until the company has completed its vulnerability investigation.
• We ask for your constructive cooperation during the triage and evaluation process.
• If you intend further action, we ask for your open communication about your expected timeline.