Coordinated Security Vulnerability Disclosure Process

At 528 Innovations, we deeply value the contributions of the security research community. If you believe you have identified a potential security vulnerability in one of our products or services, we want to know immediately so we can investigate and remediate the issue.

How to Contact Us

Please send all security-related questions and incident reports to: security@528innovations.com.

Note: To ensure the most efficient review and response, we request that all technical security communications be provided in English wherever possible. Otherwise, the translation process may delay our response.

1. What to Include in Your Report

To help us investigate and resolve the issue quickly, please provide the following details in your submission:

Your Contact Information: Please include your name, organization, email address, and phone number.

- Note: We never share your contact information. We use this strictly to consult our internal records and contact you regarding your submission.

Technical Description:

- Method of Discovery: How, when, and where you found the issue.

- Impacted Systems: Specific products, devices, or systems involved (please include software versions if available).

- Environment: Details on the testing environment and any tools used to discover the vulnerability.

Data Exposure: Indicate if you were able to access any Protected Health Information (PHI) or Personally Identifiable Information (PII).

- Important: Please do not include specific PHI or PII data in your email submission; simply state whether access was possible.

Prior Disclosure: Let us know if you have notified regulatory agencies, vendors, or other vulnerability coordinators about this issue.

2. What 528 Innovations Will Do

Once you submit a report, here is what you can expect from us:

Confirmation: We will acknowledge receipt of your submission within five business days and provide a specific point of contact.

Investigation: Our engineers will review your findings, investigate potential impacts across our product line, conduct a risk assessment, and determine the appropriate course of action to resolve the issue. We may contact you to clarify technical details.

Updates: Within 30 days of receiving your report, we will provide you with a summary of the actions taken.

Resolution: We will strive to implement the action plan identified to resolve the issue within 60 days of receiving your report.

Reporting:

- Incident vulnerability will be disclosed to Information Sharing and Analysis Organizations (ISAOs) within 30 days of the date of reporting, if applicable.

- Medical Device Report will be submitted to the FDA as required by 21 CFR Parts 803 and/or 806, as applicable.

Recognition: With your explicit consent, we may publicly acknowledge your contribution to improving the security of our products.

3. Guidelines & Important Information

To ensure safety and legal compliance, we ask that you adhere to the following guidelines:

Safety First: Avoid actions that could harm any person or interfere with therapy delivered by a product.

- Do not test on devices actively in use.

- Do not test in clinical settings or on software in production environments.

Legal Compliance: Comply with all applicable laws and regulations when conducting your research. You must own the device or have explicit permission to test it.

Agreement: By submitting information, you agree that your submission is governed by 528 Innovations’ Privacy Statement and Terms of Use.

Note: 528 Innovations reserves the right to modify this coordinated disclosure process at any time and to make exceptions on a case-by-case basis.