Skip to main content

Coordinated Vulnerability Disclosure Policy

Fortell Research, Inc
Version: 1.0
Effective Date: November 12, 2025

Introduction

At Fortell Research, Inc, as a manufacturer of FDA-regulated medical devices, the security and privacy of our patients and users is our highest priority. We are committed to protecting their information from unauthorized disclosure and ensuring our devices are safe and secure throughout their lifecycle. 

Fortell Research maintains a coordinated vulnerability disclosure (CVD) process to support the identification, assessment, and remediation of cybersecurity vulnerabilities in its medical device products. This program aligns with industry expectations and references best practices such as those outlined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), available at: https://www.cisa.gov/coordinated-vulnerability-disclosure-process

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and outlines our approach to receiving, evaluating, and addressing cybersecurity vulnerabilities in our products and systems.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.We want security researchers to feel comfortable reporting vulnerabilities they’ve discovered – as set out in this policy – so we can fix them and keep our users safe.

Scope

This policy applies to Fortell products and systems. It excludes the following classes of systems and devices, which we do not authorize for testing:

  • Vulnerabilities in third-party platforms or products not developed by Fortell Research.
  • Legacy products no longer supported and marked end-of-life.

If you aren’t sure whether a system or product is in scope for authorized vulnerability research, please contact us at security@fortell.com.

Guidelines

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • You do not intentionally compromise the privacy or safety of Fortell personnel or any third parties.
  • You do not intentionally compromise the intellectual property or other commercial or financial interests of any Fortell personnel or entities, or any third parties.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Our Commitment to Researchers

We are committed to:

  • Working in good faith with researchers
  • Acknowledging receipt of vulnerability reports within seven calendar days
  • Providing status updates throughout the investigation and remediation process

How To Report A Vulnerability

Please email us at security@fortell.com, with sufficient detail for us to evaluate the impact and severity of your findings (e.g. which product or system the vulnerability was found in, explanatory text and screenshots, steps to reproduce, etc).

Responsible Disclosure Guidelines

We ask that you:

  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
  • Do not access, modify, or delete patient data or any personal information
  • Do not perform denial-of-service (DoS) testing or other tests that impair access to or damage a system or data
  • Do not conduct physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Provide us a reasonable amount of time (typically 90 days) to resolve the issue before publicly disclosing it
  • We may request extensions or accelerated coordination depending on risk severity and patch readiness
  • We will coordinate with you regarding the timing and content of any public disclosure.

Vulnerability Handling and Remediation Process

Collection

Fortell accepts vulnerability reports from external security researchers, customers, partners, and internal personnel through designated communication channels (e.g., security@fortell.com). Submitted reports should include sufficient detail to allow Fortell to understand, reproduce, and evaluate the issue.

Analysis

Upon receiving a report, Fortell performs an initial technical review to validate the reported vulnerability, determine the affected components, and assess potential security or safety impact. Fortell’s engineering, quality, and cybersecurity teams jointly evaluate the severity and applicability of each confirmed vulnerability in accordance with internal security and risk management procedures.

Mitigation Coordination

If a vulnerability is confirmed, Fortell coordinates development of the appropriate mitigation action, which may include configuration updates, compensating controls, software patches, or other corrective actions. Mitigations are developed and validated in alignment with Fortell’s established cybersecurity, software development, and risk-management processes.

Application of Mitigation

Validated mitigations or patches are made available to affected customers through Fortell’s standard service and support mechanisms. Where applicable, documentation or instructions will accompany the update to support safe and effective implementation.

Disclosure

Consistent with Fortell’s internal policies and applicable regulatory expectations, affected users may be informed of confirmed vulnerabilities, available mitigations, and any recommended actions through direct communication or updated support documentation. Public advisories may be issued when appropriate. Customers may request additional information regarding Fortell’s vulnerability-handling practices or specific mitigations by contacting security@fortell.com

Recognition and Credit

With your consent, we may publicly acknowledge your contribution in company communications or release notes. We do not offer monetary bounties at this time.

Legal Safe Harbor

We consider activities conducted in accordance with this policy to be authorized and in line with our commitment to improving security. We will not take legal action against researchers who discover and report vulnerabilities in accordance with this policy.

Contact Us

If you have any questions about this policy or are unsure whether your research falls within scope, please contact us at: security@fortell.com.