×

Coordinated Vulnerability Disclosure Policy

The Natus Coordinated Vulnerability Disclosure Policy is designed to provide transparency to our customers by providing information and guidance to help them manage cybersecurity risks. We encourage customer and other external stakeholder to collaborate on treatment response plans for vulnerabilities discovered in Natus products. The Coordinated Vulnerability Disclosure process consists of the following four phases:

 

  • Discovery: Natus customers, security researchers, and other external stakeholders are encouraged to report a potential or discovered vulnerability, breach, or other cybersecurity signals and incidents that concern a Natus product. These potential or discovered vulnerabilities must be reported to Natus as a Technical Service complaint following Natus’ complaint handling process. Natus will acknowledge receipt of the reported signal promptly once received from the reporting source.
  • Triage and Analysis: Natus works with the reporting source of potential security issues and events to investigate and verify reported vulnerabilities. If the vulnerability is verified and qualified for treatment planning, Natus will follow its Product Security Incident Response and Vulnerability Management procedure to establish effective treatment response plans. Timelines for treatment and disclosure should be conveyed as soon as possible.
  • Remediation or Mitigation: The treatment response will identify remediation and/or mitigation strategies to eliminate the vulnerability or reduce the risk to an acceptable level. Where appropriate, the treatment response will include disclosure communications with coordinators, information-sharing groups, and regulatory agencies.
  • Vulnerability Disclosure: Natus publishes released Coordinated Vulnerability Disclosures in the form of a Product Security Advisory or Product Security Bulletin on the Natus website. Release notes and other product labeling may be used to disclose vulnerabilities. In this phase, Natus shares vulnerability information with coordinators and/or other external stakeholders.