Exact Sciences is committed to ensuring the security of products to:
- Protect the security and safety of patients.
- Protect the confidentiality, integrity, and availability (CIA) of information associated with Exact Sciences connected medical devices and information.
- Comply with federal, territorial, state, and local laws.
Across Exact Sciences, we continuously strive to improve cybersecurity and protect information through the product lifecycle. One of the ways we collect vulnerability reports is through a formal Coordinated Vulnerability Disclosure process.
Guidelines
Under this policy, “research” means activities in which you:
- Notify us within 24 hours after you discover a real or potential cybersecurity issue.
- Make efforts to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent required to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Do not submit a high volume of low-quality reports.
Reporting a vulnerability
We accept vulnerability reports through the email address productsecurity@exactsciences.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of the initial email within ten (10) business days.
We suggest operating these programs in a manner consistent with existing cybersecurity standards, specifically forms of encryption (e.g., hashing, PGP encrypted email).
What we would like to see from you
In order to help us triage and prioritize submissions, we recommend that your reports:
- Describe the location the vulnerability was discovered and the potential impact of exploitation.
- Provide full details of the vulnerability, including information required to reproduce and validate the issue by producing Proof of Concept (code, technical demos of vulnerability, or necessary steps needed to demonstrate your finding).
- Be in English, if possible.
- Be aware that security testing may have side effects on the product that are not apparent. When in doubt, decommission the device and contact Exact Sciences.
- Use a vulnerability only as needed to demonstrate it if identified.
Likewise, we require that you:
- Never perform security testing on devices actively being utilized for diagnostics or monitoring actively in use.
- Avoid testing that could cause a privacy issue or damage equipment.
- Avoid testing on devices in use or software that is in a production environment.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of agreements entered between Exact Sciences and individuals.
- Never build your own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damage and create unnecessary cybersecurity risks.
What you can expect from us
At Exact Sciences, we believe industry collaboration is essential to making our products more secure. That is why we strive for cybersecurity by design, in use and through collaboration with stakeholders. Whether our partners are customers managing the cybersecurity in their own environments, the cybersecurity research community helping us better research and evaluate emerging threats, or security vendors identifying practical security solutions, we appreciate the opportunity to collaborate. When you choose to share your contact information with us, we commit to coordinating with you as openly and as promptly as possible.
- To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
- We will maintain an open dialogue to discuss issues.
- We will not share your name or contact information without express permission.
Questions
- Questions regarding this policy may be sent to productsecurity@exactsciences.com. We also invite you to contact us with suggestions for improving this policy.
- Exact Sciences is dedicated to reading and providing responses to reports of potential software security vulnerabilities in a timely manner. Any reports submitted which are not related to potential security vulnerabilities in supported software/firmware products will be forwarded to the appropriate product team.
All aspects of this process are subject to change without notice as well as for case-by-case exceptions. No level of response is guaranteed.