Novocure is committed to resolving vulnerabilities that could affect the integrity and security of our products or the privacy of patients and customers. This document describes Novocure’s process for receiving reports related to potential security vulnerabilities in its products and the company’s standard practice with regards to disclosing information related to verified vulnerabilities.
When to contact Novocure:
If you have identified a potential security vulnerability or privacy issue with a Novocure product, contact Novocure by sending an email to firstname.lastname@example.org. You should provide the following:
Name, version and configuration details of the affected product
Description of the vulnerability and the environment with which it was discovered
Description of how you would envision it being exploited.
After your incident is received, the appropriate personnel may contact you to follow-up.
To ensure confidentiality, we encourage you to encrypt any sensitive information you send us via email.
For the purpose of this policy, the email@example.com email is intended only for the purposes of reporting product or service security vulnerabilities. It is not for technical support information on our products or services.
Novocure attempts to acknowledge receipt of all submitted reports within seven days.
What you can expect from Novocure:
Novocure will work to verify the vulnerability and the potential impact. If the vulnerability impacts patient safety, we will work to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed according to the associated risk.
As each security vulnerability case is different, we can take alternative actions in connection with issuing cybersecurity advisories. Novocure can determine to accelerate or delay the release of an advisory or not issue an advisory at all. Novocure does not guarantee that cybersecurity advisories will be issued for any or all security issues customers can consider significant or that advisories will be issued on any specific timetable.
All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed for any specific issue or class of issues.