Vulnerability Disclosure Program

Security is one of the top priorities at NuVasive and we recognize the valuable contributions that the security researcher community makes to many organizations. In an ongoing effort to protect the NuVasive community, we have established a vulnerability disclosure program to allow for collaboration with security researchers from around the world regarding potential security issues discovered in our systems.

Guidelines

We seek to deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

  • Notify us as soon as possible after the discovery of a real or potential security issue or upon gaining unauthorized access to a system.
  • Do not harm and do not exploit any vulnerability beyond the minimal amount of testing required to confirm the vulnerability’s presence.
  • Avoid intentionally accessing the content of any communications, data, or information transiting or stored on NuVasive information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
  • Do not exfiltrate any data under any circumstances.
  • Do not conduct denial of service testing or any other testing that would impact the operation of NuVasive’s systems.
  • Do not conduct any non-technical attacks such as social engineering (e.g., phishing) or physical testing (e.g., office access).
  • Do not perform any brute-force attacks.
  • Avoid tests that could cause degradation or interruption of the websites and services. Any automated requests/scanning must be kept to under 5 requests per minute.

If at any point you are uncertain whether to continue testing, please reach out to [email protected]. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Scope

Testing is only authorized on the targets listed as in-scope. Any domain and/or property of NuVasive not listed is out of scope, including any and all subdomains not listed below. If you happen to identify a security vulnerability on a target that is not in-scope, but it demonstrably belongs to NuVasive, you can report it to this program.

In Scope:

  • https://www.nuvasive.com
  • https://atlas.nuvasive.com
  • https://www.thebetterwayback.org
  • https://www.nuvasive.jp

Out of Scope:

  • https://www.nuvasive.com/surgical-solutions/neuromonitoring/nuvasive-clinical-services/schedule-a-case/
  • https://www.nuvasive.com/journeytogetherprogram/
  • https://www.nuvasive.com/pcmsurvey/
  • https://www.nuvasive.com/resources/new-technology-submission-portal/
  • https://www.nuvasive.com/fsnmagec2020/
  • https://www.thebetterwayback.org/#call-form
  • https://www.thebetterwayback.org/#text-form
  • https://www.nuvasive.jp/contact

Warranty Disclaimers

BY PARTICIPATING IN THE PROGRAM, YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT SUCH PARTICIPATION IS SOLELY AT YOUR OWN RISK. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NUVASIVE EXPRESSLY DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES OF ANY KIND IN CONNECTION TO THE PROGRAM, WHETHER STATUTORY, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. NUVASIVE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH REGARD TO ANY ACTIONS RESULTING FROM YOUR PARTICIPATION IN THE PROGRAM.

Reporting

Below you will find the form where you can submit your finding. Please remember to include as much information in a clear manner to help facilitate validation. It is highly recommended that you provide your email address to ensure you can claim your submission and continue communication as needed.

Any information submitted through this process will become the property of NuVasive, and does not create any right to payment for you or any obligation for NuVasive to pay you. All aspects of the vulnerability disclosure program are subject to change without notice at any time. By submitting a report, you agree to be bound by, and that the information provided will be governed by, our site’s Terms of Use and Privacy Policy. All aspects of the program are subject to, and you agree to abide by, applicable laws.

The materials on this website are for your general educational information only. Information you read on this website cannot replace the relationship that you have with your healthcare professional. We do not practice medicine or provide medical services or advice as a part of this website. You should always talk to your healthcare professional for diagnosis and treatment.