Posted by Synopsys Editorial Team on November 16, 2016
On Wednesday, Philips named Mike Ahmadi, Global Director of Critical Systems Security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors.
Responsible Disclosure, also known as Coordinated Vulnerability Disclosure, means that the first reporter of a new vulnerability has chosen to work with the vendor to demonstrate the validity of the finding and to mitigate the problem. The first reporter also agrees to work with the vendor on a date in which the vulnerability will be disclosed to the public. This is the opposite of a zero day, where the reporter discloses a vulnerability without first contacting the vendor, or disclosing a vulnerability without a mitigation from the vendor.
In addition to Ahmadi, Philips also named five other researchers including:
In July, Ahmadi and Rios, from WhiteScope, publicly disclosed 460 vulnerabilities in one medical device, Philips Xper Connect, an optional bidirectional hospital information system (HIS) interface. The researchers used Synopsys Protecode SC (formerly AppCheck) to identify that 272 of these vulnerabilities were present in 5 software packages present in the Xper-IM Connect system software, and 188 of the vulnerabilities were associated with Windows XP operating system, which is no longer supported by Microsoft. Ahamdi and Rios worked with Philips to coordinate an ISC-CERT advisory with appropriate mitigation strategy for customers affected by these vulnerabilities.
Philips maintains a responsible disclosure statement that helps researchers identify the steps necessary to report new vulnerabilities. The company maintains an email address — firstname.lastname@example.org – along with a PGP key to encrypt the correspondence and prevent premature leakage of vulnerability information.