Align Technology coordinated vulnerability disclosure statement

Align Technology, Inc. and its affiliated entities (collectively, “Align,” "us," “our,” or "we") operates a global product security program, which guides our incident management and risk assessment activities relating to potential security and privacy vulnerabilities in our products and services. Align supports coordinated vulnerability disclosure with vulnerability testing performed by security researchers and customers reporting to Align potential security or privacy vulnerabilities in our medical device products and services. You may contact us by submitting this product security webform at the link below.

Reporting procedure

Please complete the product security webform using this link with required fields in English. All communications and responses will be provided in English. This webform is secured using TLS (HTTPS).

What details to provide in the product security webform

  1. Your contact information, including name(s), organization name, email address and phone number so we can follow up with you. We ask for your contact information only to expedite communications as we work to address your submission.
  2. Please provide a technical description of the concern or vulnerability.
    1. Provide information on which specific product you tested, including product name and version number; the technical infrastructure tested, including operating system and version; and any relevant additional information, such as network configuration details.
    2. For web-based services, please provide the date and time of testing, URLs, the browser type, and version, as well as the input provided to the application.
    3. Information about the tools and techniques you used to discover this vulnerability.
  3. To help us to verify the issue, please provide any additional information, including details on the tools used to conduct the testing and any relevant test configurations. If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such.
  4. If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information.
  5. If you communicate vulnerability information to vulnerability coordinators such as ICS-CERT, CERT/CC, NCSC, or other parties, please advise us and provide their tracking number, if one has been made available.
  6. The following types of reports are considered out of scope of Align’s Coordinated Vulnerability Disclosure program:
    1. Reports of insecure SSL/TLS ciphers or missing HTTP headers without a working proof-of-concept.
    2. Attacks that may degrade, disrupt, or negatively impact services or patient experience/safety (e.g., denial of service, brute force, password spraying, spam, fuzzing).
    3. Vulnerabilities in unsupported medical devices, as the focus is on current and actively supported systems.
    4. Physical, social engineering, phishing, or electronic attacks.
    5. Attacks on systems not specifically identified as in-scope.
    6. Attacks stemming from stolen or leaked credentials.
    7. Third parties Align suppliers or service providers that have vulnerabilities.

What Align Technology will do

  1. Upon receiving a vulnerability report, Align will verify the reported vulnerability. If needed, Align will request more information from you or provide instructions to you to work with an approved third-party vendor.
  2. For a verified vulnerability, Align will notify the appropriate product teams to conduct a risk analysis to determine the vulnerability’s potential scope and classification level.
  3. Align will determine if a fix is necessary to cope with the vulnerability with corresponding fixes developed and prepared for distribution.
  4. Align will use existing customer notification processes to manage the release of patches or security fixes, which may include direct customer notification or public release of an advisory notification on our website.

Important Information

  1. Refrain from including confidential information, e.g., patient information, in any screenshots or other attachments you provide.
  2. Never perform any vulnerability or similar testing on products while those products are actively being used in patient care, patient diagnosis, or patient monitoring.
  3. For web-based products, please use demo/test environments to perform vulnerability testing.
  4. Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data.
  5. After vulnerability testing, each device should be retested to ensure no damage has been inflicted and the device is suitable for its intended use. Contact your service provider prior to the device being placed back into use.
  6. As part of responsible coordination of vulnerability disclosure, we encourage you to work with Align on selecting public release dates for information on discovered vulnerabilities. To minimize the possibility of public safety, privacy, and security risks, we request your cooperation in synchronizing the release of information. Please inform us of your disclosure plans, if any, prior to public disclosure.
  7. Your actions must not be disproportionate, such as:
    1. Using social engineering to gain access to the system.
    2. Building your own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damage and create unnecessary security risks.
    3. Utilizing a vulnerability further than necessary to establish its existence.
    4. Copying, modifying, or deleting data on the system. An alternative for doing so is making a directory listing of the system.
    5. Making changes to the system.
    6. Repeatedly gaining access to the system or sharing access with others.
    7. Using brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.

Notice:

By submitting information through this process, you agree that Align is authorized to use the information in any manner, in whole or in part, without restriction. You also agree that submitting such information does not create any rights for you or any obligations (including payment) from Align.