Contact

Adaptive Sensory Technology,
spun out of Harvard Medical School,
has offices in San Diego, California
and München, Germany.

San Diego, California

9823 Pacific Heights Blvd, Suite CD
San Diego CA 92121
United States of America
Phone +1 (858) 291-8496
Fax +1 (855) 821-3181
Email sandiego@adaptivesensorytech.com

München, Germany

Gottfried-Keller-Str. 33
81245 München
Germany
Email munich@adaptivesensorytech.com

Vulnerability disclosure

As a medical device company, we know that any system and infrastructure can be(come) vulnerable. We encourage everyone to report security vulnerabilities. This protects us, our customers, partners and stakeholders and makes the world a little more secure.

Safe Harbour

We will not take any legal action against activities complying with this policy. If legal actions are initiated by third parties due to activities compliant with this policy, we will take actions to make it known to responsibles and/or legal authorities.

Our promise

We will review and respond to your report promptly and conduct an open dialog with you. We will provide a timeline for when we expect the vulnerability to be fixed.

Your promise

You promise to use discovered vulnerabilities for no other purpose than reporting them to us. Vulnerabilities are reported exclusively and privately, promptly after detection. You promise to not take actions with the intention to harm us, our customers, partners, or any other stakeholder.

Scope

The scope of this vulnerability disclosure policy (VDP) includes:
  • Internet-facing services operated by Adaptive Sensory Technology, such as this web site.
  • All Manifold devices.
The following activities are prohibited:
  • Denial of service (incl resource-exhaustion, automated scanners with high loads, deleting data, fuzzing, etc)
  • Spamming
  • Social engineering (including phishing)
  • Physical access (incl entering or surveilling properties)
  • Attacking non-internet facing systems (internal networks, private IPs, workstations, etc)
  • Installing persistent backdoors
Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP. This includes (but is not limited to):
  • Presence/absence of DKIM/SPF/DMARC records
  • Missing http headers (such as CSP, Permissions-Policy, etc)
  • Clickjacking
  • Missing http cookie flags
  • Information disclosure of non-sensitive contents (like robots.txt, sitemap.xml, files, directories, etc)
  • Absence of best practices
  • Self-Attacks
  • CSRF with low or no impact
  • Open ports
  • Attacks requiring pre-conditions that would be security issues per se (e.g. usage of outdated browsers, vulnerable browser plugins, weak user passwords)
  • Lookalike domains
  • Homograph attacks
  • Broken links
  • Metadata in assets (like images, PDFs, etc)
  • Theoretical attacks with no realistic exploit scenario
  • Weak SSL/TLS settings
  • Software that is out of date without proven security impact
  • Missing multi-factor authentication
  • Recently patched vulnerabilities in third-party software within two weeks after publication

Contact

Please contact us via info@adaptivesensorytech.com.

Thank You

Thank's to all who report security vulnerabilities to us.

Attribution

We acknowledge the vulnerability disclosure policy template licensed under CC0 1.0 by Syslifters, on which the above policy is based.