Responsible Disclosure

Vulnerability Disclosure Statement

Qr8 Health is dedicated to enabling transformational improvement in patient care by providing medical devices for collecting highly standardized clinical data and patient-reported outcomes, in any medical or home setting.  We have an unwavering commitment to provide safe and secure products and services with a security by design mindset and a product security program that is anchored in our Quality Management System.   Qr8 Health is committed to open communications with our customers and patients regarding product security and we value the contributions of the security research community.  If you believe you have identified a potential security vulnerability in one of our products or services, we want to know so we can investigate.

How to Report a Potential Product Security Vulnerability

Please e-mail potential product security vulnerabilities to the Qr8 Health product security team at [email protected]
What Information to Provide
  • Your Contact Information
  • Contact name, organization name, email address and phone number so we can follow up with you.  We will never share your contact information for other purposes.
  • A Clear Description of the Concern or Potential Product Security Vulnerability
    • When, where and how it was discovered
    • Which products/devices/systems it is impacting:  Product information such as the product name, model number, serial number, software version number, etc.
    • Whether you were able to access any protected health information or other personally-identifiable information about any user or the product or system in which you disclosed the vulnerability.  Please do NOT include any protected health information or other personally-identifiable information about others in your email submission.
  • Any additional information you think will be helpful to us, including details on the testing environment and tools used to conduct the testing.
  • Other Notifications 
  • Have you have notified any other agencies about the potential vulnerability, such as regulatory agencies, vendors, vulnerability coordinators, etc.
  • Please include any plans or intentions for public disclosure, and whether you have already communicated with a vulnerability coordinator (e.g. ICS-CERT, CERT/CC, NH-ISAC, NCSC or others) and their tracking number for this potential vulnerability if one was provided.

What Will Qr8 Health Do?

Upon receipt of a concern or potential product security vulnerability, Qr8 Health will:
  1. Acknowledge receipt of the report within 2 business days and provide a tracking number for your report and a contact person.
  2. We will notify the appropriate security engineers who may want to follow up with you to better understand what you’ve found, or to confirm technical details.
  3. We will investigate the potential vulnerability and conduct a risk analysis to determine appropriate action.
  4. We will notify the appropriate regulatory bodies of a potential breach per 45 C.F.R. § 164.408.
  5. We will provide you with a summary of our findings once determined; we may publicly acknowledge your contribution to improve the security of our products and services, subject to your agreement.
  6. We will use existing customer notification processes to manage the release of patches or security fixes, which may include direct customer notification or public release of an advisory notification on our website.

Important Information

  • We ask that you comply with all laws and regulations when conducting your research, and avoid actions that could harm products or people, such as brute force testing, tests on active devices, tests on software in production settings, actions taken to exploit any vulnerability, and actions that result in a change to a product or system after the test is conducted.
  • If you have identified a security vulnerability in a Qr8 Health product and would prefer to disclose the matter directly to the regulatory agency rather than Qr8 Health, please contact the appropriate regulatory agency.
  • We reserve the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case by case basis.