AGFA HealthCare

Vulnerability Disclosure Policy

AGFA HealthCare is committed to ensuring the security of its customers by protecting any sensitive information from unwarranted disclosure. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to provide our preferences in how to submit discovered vulnerabilities.

This policy describes what solutions/services and types of research are covered under this policy, how to send us vulnerability information, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so that we can fix them and keep our users and that of our customers safe. We have developed this policy to reflect our values and uphold our sense of responsibility to security researchers who share their expertise with us in good faith.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, and we will work with you to understand and resolve the issue quickly. Subsequently, AGFA HealthCare will not recommend or pursue legal action related to your research.

Guidelines

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
  • Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
  • You do not intentionally compromise the privacy or safety of AGFA HealthCare personnel (for example, civilian employees), AGFA HealthCare customers and their patients, or any third parties who may be in a contractual agreement with AGFA HealthCare.
  • You do not intentionally compromise the intellectual property or other commercial or financial interests of any AGFA HealthCare personnel or entities, or any third parties.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, patient health information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.


Scope

All solutions and services referenced below are in scope.

Though we develop and maintain other solutions or services, we ask that active research and testing only be conducted on the solutions and services covered by the scope of this document. If you aren’t sure whether a system or endpoint is in scope or not, contact  ispriskmanagerhealthcare@agfa.com before starting your research.

If there is a solution or service not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Product Version
Enterprise Imaging Departmental (Radiology, Cardiology, etc.) 8.2.x, 8.3.x, 8.4.x
Enterprise Imaging VNA 8.2.x, 8.3.x, 8.4.x
Enterprise Imaging XERO 8.2.x, 8.3.x, 8.4.x
Enterprise Imaging XERO Portal 1.x, 2.x
Enterprise Imaging Teach and Research 1.x, 2.x
   
   

Rules of Engagement

Security researchers must not:

  • Test any solutions or service other than those set forth in the ‘Scope’ section above,
  • Disclose vulnerability information except as set forth in the ‘Reporting a Vulnerability’ and ‘Disclosure’ sections below,
  • Engage in physical testing of facilities or resources,
  • Engage in social engineering,
  • Send unsolicited electronic mail to AGFA users, including “phishing” messages,
  • Execute or attempt to execute “Denial of Service” or “Resource Exhaustion” attacks,
  • Introduce malicious software,
  • Test in a manner which could degrade the operation of AGFA HealthCare solutions; or intentionally impair, disrupt, or disable the systems of AGFA HealthCare customers who are utilizing any of the solutions/services listed under Scope,
  • Test third-party applications, websites, or services that integrate with or link to or from AGFA HealthCare solutions/services,
  • Delete, alter, share, copy, retain, or destroy AGFA HealthCare data, or render AGFA HealthCare data inaccessible, or,
  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on AGFA HealthCare solutions, or “pivot” to other AGFA HealthCare solutions.

Security researchers may:

  • View or store AGFA HealthCare nonpublic data only to the extent necessary to document the presence of a potential vulnerability.

Security researchers must:

  • Cease testing and notify us immediately upon discovery of a vulnerability,
  • Cease testing and notify us immediately upon discovery of an exposure of nonpublic data, and,
  • Purge any stored AGFA HealthCare nonpublic data upon reporting a vulnerability.


Reporting a Vulnerability

We accept vulnerability reports at https://vulnerabilitydisclosure.agfahealthcare.com. Reports may be submitted anonymously.  We do not support PGP-encrypted emails at this time.

Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely AGFA HealthCare, we may share your report with the competent cybersecurity authorities (e.g. CISA, NCSC, SingCERT, etc) where it will be handled under their coordinated vulnerability disclosure process). We will not share your name or contact information without express permission.

By clicking “Submit Report,” you are indicating that you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to AGFA HealthCare solutions and services, and consent to having the contents of the communication and follow-up communications stored by AGFA HealthCare

In order to help us triage and prioritize submissions, we recommend that your submission:

  • Adheres to all legal terms and conditions outlined at Privacy and Legal Notice .
  • Describes the vulnerability, where it was discovered, and the potential impact of exploitation.
  • Offers a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).


Disclosure

AGFA HealthCare is committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.

We may share vulnerability reports with the competent cybersecurity authorities (e.g. CISA, NCSC, SingCERT, etc), as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission.

About AGFA HealthCare