Home / Spectral AI Coordinated Vulnerability Disclosure (CVD) Statement

Spectral AI Coordinated Vulnerability Disclosure (CVD) Statement

Spectral AI Promotes Ethical Security Research 

Spectral AI acknowledges the critical contribution of security researchers in advancing secure design practices and mitigating security risks across both the medical device industry and the broader healthcare ecosystem. We highly value the efforts of these researchers and actively encourage constructive collaboration regarding identified vulnerabilities and proposed disclosures in a coordinated and responsible manner. This page outlines our expectations for researchers conducting security assessments of Spectral AI products, as well as the commitments we can make to them during this process. 

Purpose 

The Spectral AI Coordinated Vulnerability Disclosure (CVD) Program is established to systematically manage the identification, analysis, and responsible disclosure of newly discovered security vulnerabilities within Spectral AI products. The core objective for both Spectral AI and participating security researchers is to mitigate risk effectively, ensuring comprehensive consideration of all operational environments that may be impacted by any identified vulnerability. 

Scope 

This Coordinated Vulnerability Disclosure (CVD) Statement applies to all commercially available Spectral AI products. 

The process outlined herein is intended exclusively for reporting newly identified vulnerabilities within Spectral AI products. Vulnerabilities associated with operating systems or other third-party components fall outside the scope of this process and should not be submitted through this channel. 

Reporting Guidelines for Security Researchers 

Security researchers must follow these requirements throughout the vulnerability research and disclosure process, including initial research and testing: 

Use vulnerabilities responsibly: Only exploit a vulnerability to confirm its existence. Do not remove sensitive data, create backdoors, or introduce additional vulnerabilities into a product for subsequent use. 

Protect patient safety: Do not conduct research or testing on systems that pose any risk of patient harm. 

Avoid clinical environments: Do not test products or network infrastructure in active clinical settings or environments where devices are used for assessing patients or could inadvertently be used in this way 

Restore products after testing: If a product may be used in a clinical setting, return it to its original state after testing. Contact Spectral AI for assistance if needed. 

Obtain permission: Secure written consent from the owner of the Spectral AI Product before any testing to ensure that the scope is clear. If the product is leased from Spectral AI, permission must be obtained from both Spectral AI and the lessee. 

Maintain confidentiality: Do not disclose vulnerability details publicly until a mutually agreed-upon time frame with Spectral AI has expired. 

Stay within scope: Operate only within the boundaries defined in this program. 

Notify promptly: Inform Spectral AI of any communication with regulators or third parties regarding vulnerabilities discovered without delay. 

Report a Vulnerability 

If you have identified a potential security vulnerability in a Spectral AI product, we encourage you to report it responsibly through our Coordinated Vulnerability Disclosure (CVD) program. 

How to Submit a Report: 

• Email Spectral AI at security@spectral-ai.com to initiate contact regarding a potential vulnerability. 

• Please do not include sensitive or confidential information (such as patient data) in the body of the initial email or in unencrypted attachments. 

• After initial contact, Spectral AI will coordinate with you to agree on a secure method for transmitting technical details, as appropriate. 

• Include your contact information so we may follow up with you. 

Important Notes: 

• This channel is intended solely for reporting newly identified security vulnerabilities in Spectral AI products. 

• Please do not use this email for:

o Issues related to previously disclosed vulnerabilities.

o Vulnerabilities in third-party components that are not part of Spectral AI product software. 

• For information on previously disclosed vulnerabilities, please visit our Product Security Page. 

What We Request from You: 

To help us address your report efficiently, please provide the following: 

• Submit a clear, well-written report in English for a higher chance of resolution. 

• Include essential details such as the product’s geographical location, the exact model and serial number, the software version, and the method of obtaining the system. 

• Provide proof-of-concept code, if available, to assist in triage. 

• Confirm that the report pertains to products within the scope of this program; reports outside this scope may not be prioritized. 

• Share complete information, including:

o How you discovered the vulnerability 

o Steps to reproduce the vulnerability 

o Observed impact 

o Your thoughts on CVSS scoring and suggested remediations. 

• Maintain constructive cooperation during the triage and evaluation process. 

• State your goal for disclosure and any plans for public disclosure. 

• Do not use this channel to report complaints about Spectral AI products currently in use. All customer complaints regarding the safety or performance of a Spectral AI product in use should be made directly to Spectral AI customer support. 

What You May Expect from Us: 

• We will acknowledge receipt of your message within three (3) business days: 

• During the initial triage and assessment phase, a designated member of the Spectral AI Team may contact you to:

o Request supplementary information; 

o Communicate the anticipated process and timeline; or 

o Advise that the reported vulnerability has not been accepted into the program due to non-compliance with program requirements or insufficient detail. 

• Upon collection of sufficient information and acceptance of the report into the program, Spectral AI will:

o Conduct a comprehensive assessment and coordinate investigation; 

o Maintain ongoing communication throughout the investigation and remediation phases, providing clear expectations regarding timelines; and 

o Communicate our final conclusion. 

• We will provide public recognition to the security researcher upon request, provided the reported vulnerability results in an official public disclosure. 

Where appropriate, Spectral AI may engage a neutral third party to assist in resolving the reported issue. 

By submitting a report, you acknowledge and agree that Spectral AI may use, and permit others to use, any data or information you provide without restriction. Your submission does not confer any intellectual property rights or impose any obligations on Spectral AI.