Security & Coordinated Vulnerability Disclosure

Labtech Kft. is committed to the cybersecurity of our medical devices and Cardiospy software ecosystem.
Security researchers, customers, and partners are encouraged to report vulnerabilities in a responsible and
coordinated manner so that we can protect patients, healthcare providers, and hospital IT systems.

Security contact

Contact the Labtech Security Team

If you believe you have discovered a security vulnerability in any Labtech product or service, please contact us via the contact form available on our website.

  • Open the “Contact” menu on our website and fill in the contact form.
  • In the subject / category field, please indicate that your message relates to “Cybersecurity” or “Vigilance”, or clearly mention that it is a security vulnerability report.

Service levels

  • Acknowledgement: within 48 hours
  • Initial triage: within 72 hours

Please do not include patient-identifiable data in plain text in the message or attachments. If you need to share sensitive information, indicate this in your message and we will contact you to agree on a secure way to transfer the data.

Scope

Scope of This Policy

This security and CVD policy applies to vulnerabilities in:

  • Cardiospy PC software
  • Cardiospy Mobile (Android / iOS)
  • EC-series medical devices (EC-2H, EC-3H, EC-12H, EC-12RM, EC-12S, EC-ABP, rehabilitation devices)
  • Firmware and communication protocols (USB, Bluetooth, SD-card based storage)
  • Update and distribution infrastructure (Applife Update, firmware flashing, secure FTP endpoints)
  • Security-relevant cloud or auxiliary services operated by Labtech

Out of Scope

The following are generally considered out of scope:

  • Social engineering, phishing, or physical attacks against Labtech staff or customers
  • Denial-of-service (DoS/DDoS) attacks that do not result in data compromise
  • Issues in third-party hospital infrastructure outside Labtech’s responsibility
  • Spam or unsolicited email reports not related to security vulnerabilities

Reporting

How to Report a Vulnerability

When reporting a vulnerability, please include as much of the following information as possible:

  • Product name and version (e.g., Cardiospy PC 5.x, Cardiospy Mobile 3.x, EC-12RM firmware version)
  • A clear description of the issue and potential impact
  • Exact steps to reproduce the issue (including configuration and environment)
  • Proof-of-concept code or screenshots (if available and safe)
  • Any suggested CVSS score or severity assessment (optional)
  • Your preferred contact details for follow-up

If your report contains sensitive technical details or could expose patient data, please encrypt it using our PGP key
before sending it by email.

Process

Coordinated Vulnerability Disclosure Process

Labtech Kft. follows a coordinated approach to vulnerability disclosure that balances transparency, patient safety, and timely remediation.

Process Overview

  1. Submission – You submit a vulnerability report using the contact form available under the “Contact” menu on our website. Please indicate that your message relates to a cybersecurity or vigilance issue, or clearly state that it is a security vulnerability report.
  2. Acknowledgement (≤ 48 hours) – We confirm receipt of your report.
  3. Initial triage (≤ 72 hours) – We assess reproducibility, impact, and scope.
  4. Investigation & validation – Our security and R&D teams, and where needed an accredited cybersecurity laboratory, validate the issue.
  5. Remediation plan – We define and implement mitigations (patch, configuration change, or compensating controls).
  6. Coordinated disclosure – Once a fix is available, we notify affected customers and, when appropriate, publish a security advisory.
  7. Researcher credit – With your consent, we acknowledge your contribution in our advisories.

Remediation Targets (SLA)

Severity (internal classification) Target remediation time
Critical / High ≤ 15 business days
Medium ≤ 60 business days
Low Next scheduled release

Actual timelines may vary depending on clinical impact, complexity, and coordination with healthcare providers and regulators.

Safe harbor

Good-Faith Research & Safe Harbor

Labtech Kft. strongly supports good-faith security research that aims to improve the safety and effectiveness of
medical devices.

We commit that:

  • We will not initiate legal action against researchers who:
    • report vulnerabilities in good faith,
    • respect patient privacy and data protection regulations, and
    • follow the guidelines outlined on this page.
  • We consider testing and reporting done under this policy to be
    authorized for the purpose of improving security of Labtech devices and software.
  • We will work with you to understand and remediate the vulnerability, and to coordinate public disclosure where appropriate.

Guidelines

Researcher Guidelines & Expectations

To protect patients and healthcare providers, we ask that researchers:

  • Do not intentionally access, modify, or delete real patient data.
  • Do not disrupt clinical services or hospital operations.
  • Do not perform tests on live systems used in direct patient care.
  • Use test environments or non-production configurations whenever possible.
  • Stop testing and contact us immediately if you encounter patient-identifiable data by accident.
  • Comply with applicable laws and healthcare privacy regulations (e.g. GDPR).

Out of scope

Examples of Out-of-Scope Reports

While we welcome all good-faith reports, the following types of issues are generally out of scope for this program:

  • Physical attacks on devices, facilities, or network equipment.
  • Social engineering, phishing, or fraud targeting Labtech staff or customers.
  • Denial-of-service (DoS/DDoS) attacks without data compromise.
  • Vulnerabilities in third-party products not maintained by Labtech.
  • Non-security bugs that do not impact confidentiality, integrity, or availability.

If you are unsure whether your finding is in scope, we encourage you to contact us – we prefer to review a report rather
than potentially miss an important issue.

Advisories

Security Advisories & Bulletins

When vulnerabilities are confirmed and remediated, Labtech may publish security advisories with CVE identifiers,
technical details, and guidance for customers and healthcare providers.

Advisory Archive

At this time, there are no publicly listed security advisories. Future advisories will appear in a list below.

Policy

Reference Documents

For regulators, notified bodies, and hospital IT/security teams, detailed cybersecurity documentation – including
our full Coordinated Vulnerability Disclosure Policy and risk assessment reports – is available on request.

  • Cybersecurity Risk Assessment and Incident Response Plan (device-specific, on request)
  • SBOM and KEV monitoring documentation (on request, under NDA)

Last updated:

2025.12.12.