Please enter mandatory and valid details

Coordinated Vulnerability
Disclosure (CVD) Statement

OptraSCAN is committed to maintaining the safety, security, and reliability of its digital pathology products and services. We prioritize protecting patients, clinicians, laboratories, and customers who rely on our solutions. Our commitment includes welcoming responsible security research and ensuring that potential vulnerabilities are handled in a coordinated, systematic, and transparent manner.

This Coordinated Vulnerability Disclosure (CVD) Statement describes how vulnerability reporters can safely and responsibly notify OptraSCAN of potential security issues, and how OptraSCAN will work to assess and address them.

Scope

This CVD program applies to cybersecurity vulnerabilities that may impact the:

  • OptraSCAN digital pathology devices/ solutions/ systems/ platforms
  • Software applications, desktop clients, web applications, and cloud connected services
  • Data integrity, availability, authentication, and access control mechanisms
  • System interoperability, communication interfaces, and software components

Issues unrelated to cybersecurity—such as general service faults, usability concerns, hardware damage, or third party infrastructure may fall outside this program.

How to Report a Vulnerability

If you believe you have identified a potential security vulnerability in an OptraSCAN product or service, we encourage you to report it privately and responsibly.

You can request support via clicking:

Report Incident

or email us at: customersupport@optrascan.com

To help us evaluate your report efficiently, please include (where possible):

1. Your contact information

  • Name and preferred contact method
  • Organization (if applicable)

2. Technical details about the vulnerability

  • Product name and version/build
  • Operating environment tested
  • Relevant configuration or deployment context

3. Steps to reproduce

  • Input values, payloads, or required conditions
  • Tools used (if applicable)
  • Any relevant environment details

4. Optional evidence or materials

  • Screenshots, logs, network traces
  • Proof of concept code

5. Any third party coordination already initiated

  • If you have submitted the issue to a national CERT, CSIRT, or other authority, please provide the associated tracking number.

OptraSCAN will acknowledge receipt of valid reports within two business days and provide follow up communication as needed.

Rules of Engagement

OptraSCAN requests that all researchers follow these principles to ensure ethical and safe security testing:

  • Do not perform testing that could affect patient safety, clinical workflows, sample processing, or system availability
  • Do not access, alter, store, or disclose sensitive or personal data
  • Do not exploit or weaponize the vulnerability in any way
  • Limit testing to what is necessary to confirm the presence of the issue
  • Do not publicly disclose vulnerability details until OptraSCAN has had reasonable time to investigate and remediate

Researchers acting in accordance with these expectations will be treated as good faith contributors to OptraSCAN security.

Vulnerability Handling & Prioritization

All reported vulnerabilities are evaluated based on:

  • Potential impact on safety, system integrity, or clinical operation
  • Exploitability and likelihood of occurrence
  • Applicability across product versions, configurations, or environments

OptraSCAN prioritizes vulnerabilities that could affect patient safety, sensitive data, or essential functionality.

We may provide non sensitive status updates as appropriate during the coordination process.

Indicative Remediation Targets

Once a vulnerability has been validated, OptraSCAN aims to remediate issues within the following indicative timeframes:

  • Critical vulnerabilities: Addressed as soon as possible, typically within 30 days, including communication of interim compensating controls where needed.
  • High vulnerabilities: Typically remediated within 45 days.
  • Medium vulnerabilities: Typically remediated within 60 days, often through routine update cycles.
  • Low vulnerabilities: Addressed through scheduled updates, configuration guidance, or documentation improvements.

These targets are indicative and may vary depending on technical complexity, component dependencies, third party engagement, or the scope of required validation.

Regulatory Reporting Obligations

Where applicable, OptraSCAN will meet any required regulatory reporting obligations, including those to the FDA or other competent authorities, for IVD medical devices or connected digital pathology systems.

This includes reporting significant cybersecurity issues when required by law or regulation.

Coordinated Disclosure Guidelines

OptraSCAN supports coordinated vulnerability disclosure. We ask that all reporters:

  • OptraSCAN supports coordinated vulnerability disclosure. We ask that all reporters:
  • Avoid public disclosure until an appropriate update, mitigation, or advisory is available
  • Notify OptraSCAN if planning to publish after the coordination period

A 90 day coordination window is generally appropriate for most issues, unless active exploitation or safety concerns require accelerated communication.

Legal Safe Harbor

OptraSCAN will not initiate legal action against individuals who:

  • Conduct security research in good faith,
  • Follow the process outlined in this CVD Statement,
  • Avoid accessing sensitive data, patient information, or systems beyond what is necessary for validation,
  • Do not exploit, misuse, or publicly disclose vulnerabilities without coordination,
  • Do not intentionally cause harm or disruption.

This safe harbor provision does not apply to actions that violate applicable laws, compromise patient safety, or intentionally disrupt operations.

Acknowledgment

OptraSCAN sincerely thanks the security research community, customers, and partners for their efforts to responsibly identify and report vulnerabilities. Your contributions help reinforce the safety, reliability, and security of OptraSCAN’s digital pathology solutions.

Together, we support a safer and more resilient healthcare ecosystem.