Coordinated Vulnerability Disclosure (CVD) Policy

Introduction

TEDIRO is committed to ensuring the safety, privacy, and security of the users of our products. We recognize that actively maintaining the cybersecurity of our products is essential for this purpose.

We have developed this Coordinated Vulnerability Disclosure (CVD) policy to foster collaborative
relationships with the security research community while fulfilling our obligations under Regulation (EU) 2017/745 (MDR), Regulation (EU) 2016/679 (GDPR), and our commitment to implementing state-of-the-art cybersecurity practices in accordance with BSI guidance and our quality management principles.

We welcome security researchers who act in good faith to help us identify vulnerabilities in our
products and systems. This policy reflects our corporate values and legal commitment to
researchers who provide us with their expertise.

Scope

Products and services covered

This vulnerability disclosure program covers the following TEDIRO products and services:

• THERY
  • robot
  • (medical) application software (UAG, GO)
  • Therapy Management System (TMS)
• our website (https://tediro.com/)

While TEDIRO may provide additional products and services, we ask security researchers to focus submissions on the products listed above for now. We intend to expand our program scope as we build capacity and experience.

Explicit exclusions

The following activities are explicitly excluded from this program:

• Testing of medical devices during patient treatment
• Denial of service attacks against covered products and services, partner or third-party systems
• Social engineering attacks against TEDIRO employees, customers, or partners
• Attacks requiring physical access to TEDIRO facilities
• Vulnerabilities in third-party software/hardware not directly controlled by TEDIRO

Legal Safe Harbor

TEDIRO will not initiate civil or criminal legal proceedings against individuals who submit vulnerability reports in good faith through this program, provided that researchers:

• Respect patient safety: Do not test on devices actively being used for patient care
• Act within program scope: Focus research on the products and services listed in this policy’s current scope
• Avoid abuse: Do not access, modify, delete, exfiltrate, or store patient data (PHI/ePHI), personally identifiable information (PII), or any other confidential information beyond what is necessary to verify the vulnerability
• Respect service availability: Avoid denial of service attacks, resource exhaustion, or other activities that could impact system availability
• Follow coordinated disclosure: Do not publicly disclose vulnerability details (including, but not limited to, Proof-of-Concept exploits) until a mutually agreed timeline has been established and followed
• Comply with applicable law: Adhere to laws applicable to TEDIRO operations in Germany and the EU and those in your jurisdiction
• Report in good faith: Provide accurate, complete information about discovered vulnerabilities

If a third party initiates legal action or investigation relating to your good-faith research conducted under this policy, we will make clear to the relevant authorities that your actions were conducted pursuant to this policy and within our interests, where legally permissible.

How to Report a Vulnerability

Our commitment

• Professional, respectful communication throughout the process
• Transparency about timelines and any challenges that may extend remediation
• Coordination of a disclosure timeline that balances public interest with patient safety

Primary contact method

• Email: security@tediro.com

For confidential communication and attachments, we recommend to use PGP:

• PGP public key: https://tediro.com/tediro-security-pub.asc
• Key fingerprints:
  • Encryption: 5188 8E19 291A 11BB F4C5 EB74 E38D 5A26 7E21 C2A9
  • Signature: 97F5 5A9F BA20 6875 F533 2EBD 7EDB 483A E6F9 81CB

Alternative contact method

• Email: vorkommnisse@tediro.com
  (contact to Person Responsible for Regulatory Compliance under MDR)

Required information

Please include the following information in your submission:

• Contact information: Your name/handle/alias, organization (if applicable), and contact method (preferred: email; see also Privacy policy)
• Affected products: Specific model numbers, software versions, and configurations affected
• Vulnerability details: Description of the vulnerability and its potential impact, if available technical evidence demonstrating the vulnerability (screenshots, logs, etc.)
• Reproduction Steps: Detailed steps to reproduce the vulnerability
• optionally:
  • Proof-of-Concept code: Code that shows how the vulnerability can be exploited automatically
  • Active exploitation: Information on whether the vulnerability is actively exploited by third parties
  • Suggested Mitigation: Any recommendations for addressing the vulnerability
  • Disclosure Timeline: Your intended timeline for public disclosure, if any (see below for our standard timeline)

Guaranteed response times

Timelines start when TEDIRO receives your initial report.

Response timeline

• Initial Acknowledgement (5 working days): Acknowledgement of receipt and initial assessment
• Validation (10 working days):Technical validation and impact assessment
• Risk Assessment (15 working days): (Clinical) safety and security impact assessment
• Remediation Planning (30 working days): Develop fix/mitigation strategy
• Implementation: Timeline dependent on complexity and regulatory requirements

You’re welcome to inquire on the status of the process. Please limit inquiries to no more than once every 14 days.

Disclosure timeline

• (Public) Disclosure (90 days): Coordinated (public) disclosure after validation and remediation deployment
• Extension: Up to additional 90 days in coordination with CERT-Bund

Factors affecting timelines

• Regulatory approval requirements for medical device changes
• Verification and (clinical) validation requirements
• Customer deployment coordination for critical systems
• Supply chain coordination, especially for hardware-related issues

Escalation process

If communication issues arise or cannot be resolved through direct communication, neutral third parties may be engaged:

• Thüringer Landesamt für Verbraucherschutz (TLV, competent authority under MDR, https://verbraucherschutz.thueringen.de/tlv-kontaktadressen)
• Bundesinstitut für Arzneimittel und Medizinprodukte (BfArM, national competent authority under MDR, https://www.bfarm.de/DE/Medizinprodukte/Antraege-und-Meldungen/Vorkommnis-melden/_node.html)
• CERT-Bund at Bundesamt für Sicherheit in der Informationstechnik (BSI, national CERT/CSIRT Germany, https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/Kontakt/kontakt_node.html)

Acknowledgments

We don’t (yet) have a public vulnerability report acknowledgments page. If you want to be acknowledged, if and once such a page is established, don’t hesitate to include the permission for us to do so with your submission.

---

This policy does not create any contractual obligations beyond those described herein and is subject to applicable German and EU law.