Philips has named Mike Ahmadi, global director of critical systems security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors.
Responsible disclosure, also known as coordinated vulnerability disclosure, means that the first reporter of a new vulnerability has chosen to work with the vendor to demonstrate the validity of the finding and to mitigate the problem. The first reporter also agrees to work with the vendor on a date in which the vulnerability will be disclosed to the public. This is the opposite of a zero-day, where the reporter discloses a vulnerability without first contacting the vendor, or disclosing a vulnerability without a mitigation from the vendor.
On Wednesday, Philips named Mike Ahmadi, global director of critical systems security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors. In addition to Ahmadi, Philips also named five other researchers:
In July, Ahmadi and Rios, from WhiteScope, publicly disclosed 460 vulnerabilities in one medical device, Philips Xper Connect, an optional bidirectional hospital information system (HIS) interface. The researchers used Black Duck Binary Analysis (formerly Protecode/AppCheck) to identify that 272 of these vulnerabilities were present in five software packages in the Xper IM Connect system software, and 188 of the vulnerabilities were associated with Windows XP operating system, which is no longer supported by Microsoft. Ahmadi and Rios worked with Philips to coordinate an ICS-CERT advisory with appropriate mitigation strategy for customers affected by these vulnerabilities.
Philips maintains a responsible disclosure statement that helps researchers identify the steps necessary to report new vulnerabilities. The company maintains an email address (firstname.lastname@example.org) along with a PGP key to encrypt the correspondence and prevent premature leakage of vulnerability information.