Global Coordinated Vulnerability Disclosure Policy
Olympus Coordinated Vulnerability Disclosure Process
Olympus understands the critical role of security in our products and is committed to addressing the security concerns of our customers. The Olympus product security program is governed by global policies and procedures which include Risk Management relating to security vulnerabilities, Coordinated Vulnerability Disclosure, and Incident Handling.
Olympus PSIRT (Product Security Incident Response Team) publishes product security vulnerabilities via advisories either issued directly to our customers or on the Product Security webpage. Examples of when Olympus would publish a security advisory are as follows:
- Vulnerabilities in our products that are considered an unacceptable risk as it affects patient safety and or the essential performance of the product.
- Vulnerabilities that have been disclosed publicly in the media.
- Vulnerabilities disclosed from the Security Community
Olympus PSIRT Product Security Vulnerability Management
The Olympus PSIRT team handles product security vulnerabilities utilizing the following procedure.
Discover
Monitor for potential vulnerabilities from internal and external sources.
Triage
Evaluate the security risk and patient safety risk of the vulnerabilities.
Remediate
Evaluate and develop counter measures needed to mitigate/ eliminate the vulnerability.
Disclosure
If a vulnerability is determined to be an unacceptable risk, a security advisory will be released to the applicable customers and corresponding agencies promptly. Below are the items that are included in the advisory.
- Description of the Vulnerability
- Vulnerability ID
- CVSS Score
- Affected Products
- Description of the mitigation/ remediation (if identified)
Note* The Olympus PSIRT team will update advisories as new information becomes available.