Coordinated Vulnerability Disclosure Statement

Home
Coordinated Vulnerability Disclosure Statement

At iCAD the security of our systems/products is top priority. No matter how much effort we put into system security, there is a chance a vulnerability will present itself. If you discover a vulnerability, please inform us as soon as possible so that we can work to resolve it.

Please do the following:

  • Submit your findings to support@icadmed.com 
  • Report the vulnerability as quickly as is reasonably possible, to minimize the risk of threat actor exploitation.
  • Report in a manner that safeguards the confidentiality of the report.
  • Provide sufficient information to reproduce the problem, so we will be able to resolve it as soon as possible. Examples of necessary information include:
    • The IP address or the URL of the affected system
    • Description of the vulnerability to the best of your ability

Please don’t do the following:

  • Reveal the vulnerability to others until it has been resolved.
  • • Take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
  • • Build your own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, because doing so can cause additional damage and create unnecessary security risks.
  • Use brute force attacks, social engineering, distributed denial of service, spam or applications of third parties to gain access to the system.
  • Repeatedly gain access to the system or share access with others.

What we promise:

  • We will respond to your report with our evaluation and an expected resolution date based on the severity of the vulnerability.
  • We will handle your report with strict confidentiality, and not pass on your personal details to authorized personnel without your permission, unless it is necessary to comply with a legal obligation.
  • We will not take any legal action against you in regard to the report, if you have followed the instructions provided
  • We will keep you informed of the progress towards resolving the problem.
  • We do not offer any financial rewards for vulnerabilities reported.
  • We strive to resolve all problems as quickly as possible.