Responsible Disclosure
Scope
The scope of our vulnerability reporting program covers Scivita products that contain software and includes on-market medical devices, Software as a Medical Device, implants, capital equipment, and mobile medical applications.
This program is not intended to provide technical support information on our products or for reporting adverse events or product quality complaints.
Vulnerability Disclosure Statement
Scivita has an unwavering commitment to provide safe and secure products and has built a strong security program that is anchored in our Quality Management System. This system helps our organization reach the highest level of security through proactive monitoring and expedited responses when vulnerabilities are discovered.
How to Report a Potential Product Security Vulnerability
Scivita has developed a process to receive potential product security vulnerabilities from external sources, to validate their existence, and to determine how best to respond to improve product security and safety. In this context, a vulnerability is a security weakness that the submitter believes can be exploited. Please e-mail potential product security vulnerabilities to the Scivita Product Security team at product-security@scivitamedical.com. As a reminder, do not submit any data that contains individually identifiable health information and if possible, please submit the information in English. Please provide the following in your email:
●Contact information.
●Clear description of the potential product security vulnerability that you have identified and the methods used to exploit it.
●Detailed product information, including:
oProduct name
oModel number
oSerial number or lot number
oSoftware version number
●Information regarding the network configuration you used when identifying the potential product security vulnerability.
●Proof-of‐exploit code if available.
●How you found the potential product security vulnerability and the potential impact.
●Plans or intentions for public disclosure, and whether you have already communicated with a vulnerability coordinator and their tracking number for this potential vulnerability if one was provided.
What you can expect from Scivita
For submissions provided that are within the scope of this process:
●We will acknowledge receiving your report within five (5) business days.
●We will provide the name of a contact person at Scivita for the reported issue.
●After triage, Scivita will send an expected assessment timeline and commit to being as transparent as possible about any remediation timelines as well as any issues or challenges that may extend the timelines.
●Scivita will attempt to recreate your results. We will communicate with you if we have any difficulties in that re-creation.
●If confirmed to be a vulnerability, Scivita will conduct a risk assessment of the vulnerability and discuss that assessment with you.
●Scivita will identify whether users need to implement compensating controls while a potential fix is being prepared and communicate that to our customers using our normal customer notification processes.
●If Scivita determines that externally released communications are warranted, we will work with you to coordinate release announcements so you may receive credit, if desired.
The process described here is not a guarantee, but rather a statement of Scivita’s intentions that is subject to change based on the circumstances of any situation.
If you have legal concerns about reporting vulnerabilities to Scivita, please send an email to product-security@scivitamedical.com informing Scivita about your concerns prior to submitting any details through our product security reporting process.
Scivita welcomes any research conducted and submitted in good faith, and in that regard please bear in mind:
●Scivita expects that the intent of your testing is not to cause harm to patients, customers, or Scivita.
●Our software is protected by license terms that prevent the public disclosure of proprietary information contained in Scivita products. Please communicate with Scivita first about your findings, so together we can work out a mutually agreed-upon disclosure plan.
●You must adhere to the laws of the China and your locality.
●Never perform security testing on devices actively in use or on those devices that will be used for patient care delivery after your investigation.
By submitting information to Scivita through this process, you are agreeing that submission of the information does not create any rights for you, that such information will be considered to be non-confidential and non-proprietary to you, and that Scivita will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating you or in any other way obligating Scivita.
Note that at this time, Scivita does not have a bug bounty program in place.
This document Revision AC was created 11 November 2025.