Coordinated Vulnerability Disclosure (CVD) Policy

At Q-linea, cybersecurity is a natural priority, and we believe that close collaboration with the security community is the key to maintaining trust and security in our systems. 

Purpose

This Coordinated Vulnerability Disclosure (CVD) Policy outlines the procedures and responsibilities for the intake, assessment, remediation, and disclosure of cybersecurity vulnerabilities associated with the ASTar System. The goal is to promote patient safety and maintain the integrity, availability, and confidentiality of our product throughout its lifecycle.

Scope

This policy applies to all components of the ASTar System, including software, operating system, hardware, and third-party software packages integrated into the system. This policy has been developed in accordance with ISO/IEC 29147:2018.

Vulnerability Reporting

We encourage responsible researchers, customers, and other stakeholders to report any suspected cybersecurity vulnerabilities to us.

• Email: security@qlinea.com
  • (Contact us for guidance on how to communicate via encrypted e-mail)
• Alternative contact: Product support portal (Support zone | Q-linea).

We request that the report includes, if available:

• A detailed description of the vulnerability
• Steps to reproduce
• Impact assessment (if known)
• Affected product versions

Acknowledgment and Communication

We will acknowledge receipt of the report within 7 calendar days.
The reporter will receive status updates at key milestones, including:

• Initial validation
• Planned public disclosure

We strive to resolve valid vulnerabilities within 60-90 calendar days, though timelines may vary depending on severity and complexity.

Remediation Process

All reported vulnerabilities will be:
1. Triage-assessed for validity and severity.
2. Classified based on their impact using the Common Vulnerability Scoring System (CVSS).
3. Addressed through a patch, configuration change, or mitigation as part of our secure product lifecycle processes.
4. Tested and validated prior to release.

Disclosure Policy

We follow a coordinated public disclosure model:

• Vulnerabilities will be disclosed after mitigation is available, or after a reasonable time period (typically 90 days).
• Disclosure may occur via:
  • VINCE [1] or MITRE [2]

Credit may be given to the reporter if requested and agreed upon.

Non-Retaliation Statement

We will not pursue legal action against individuals who submit vulnerability reports in good faith and in accordance with this policy.

References

1. https://kb.cert.org/vince/

2. https://cveform.mitre.org/