cybersecurity

Purpose

• HeartHero is committed to ensuring the cybersecurity of our medical devices and related systems, including the Elliot Automated External Defibrillator (AED), HeartHero Mobile Application (Mobile App), and HeartHero Cloud Services (Cloud Software). We recognize the critical role that security researchers and the broader community play in identifying potential vulnerabilities to protect patient safety and device effectiveness.
• This Coordinated Vulnerability Disclosure (CVD) Policy outlines our process for receiving, assessing, and addressing cybersecurity vulnerability reports in a responsible and collaborative manner. It aligns with FDA guidances on "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions" (June 27, 2025) and "Postmarket Management of Cybersecurity in Medical Devices" (December 28, 2016), as well as ISO/IEC 29147:2014 for vulnerability disclosure.
• By following this policy, researchers can report vulnerabilities securely without fear of legal repercussions, provided they adhere to the guidelines herein. Our goal is to minimize risks to users while allowing sufficient time for remediation before public disclosure.
• This policy will be reviewed annually or as needed.

Scope

This policy applies to vulnerabilities in:

• Elliot AED firmware, including integrated components like the ecg_ShockLib library, Bluetooth Low Energy (BLE) via BMD-300 module, and LTE via BG95-M3 module.
• HeartHero Mobile App (iOS-based companion application for device management and OTA updates).
• HeartHero Cloud Services (MDDS for data storage, retrieval, and reporting, hosted on AWS).
• Vulnerabilities in third-party OTS software (e.g., FreeRTOS, Realm, BlueJay) should be reported to us if they impact our systems; we will coordinate with suppliers as appropriate.
• Out-of-scope: Non-HeartHero products, social engineering, physical security, or denial-of-service testing without prior approval. Vulnerabilities in vendor systems should be reported directly to the vendor per their disclosure policy.

Reporting Guidelines

If you discover a potential vulnerability, please report it responsibly to allowus time to investigate and remediate. We encourage submissions fromsecurity researchers, users, and other stakeholders.

How to Report

Submission Channel

• Email reports to security@hearthero.com.
• Use PGP encryption (contact security@hearthero.com for public key)for sensitive details.

• Affected product/component (e.g., AED firmware version, Mobile App version).
• Steps to reproduce the vulnerability.
• Proof-of-concept (PoC) code or exploit details (non- destructive).
• Potential impact (e.g., on patient safety, data integrity, or device functionality like shock delivery).
• Your contact information (optional, for follow-up).

Do Not

• Exploit the vulnerability beyond PoC (e.g., no data exfiltration, modification, or denial of service).
• Access or disclose sensitive data (e.g., PHI from Cloud Services).
• Publicly disclose without coordination.
• Test devices in clinical use.

Reports not following these guidelines may not qualify for safe harbor protections.

Our Process and Commitments

HeartHero follows a structured CVD process integrated with our Quality Management System (QMS) procedures, including SOP-0009 Risk Management and SOP-0006 Customer Feedback and Post-Market Surveillance.

Triage and Assessment

Initial triage

• Within 72 hours, assess severity using CVSS v3.1, considering medical device context (e.g., impact on defibrillation or ECG analysis).

Investigation

• Collaborate with internal teams (e.g., Cybersecurity Lead, engineering) and suppliers per Quality Agreements. Timeline: 7-14 days for validation.

Remediation

Develop mitigations (e.g., patches, firmware updates via OTA over BLE).

Timelines

• Align with our Cybersecurity Vulnerability Management Plan - regular cycle (60 days) for low/medium risks; out-of-cycle (14 days) for high/critical.

Testing

• Validate per IEC 62304, ensuring no impact on therapeutic functions.

Disclosure Coordination

• We aim for coordinated public disclosure after remediation, typically within 90 days of validation.
• If you request earlier disclosure, we will negotiate in good faith, prioritizing patient safety (e.g., if active exploitation occurs).
• Public advisories will be posted on our website (hearthero.com/security), including CVE details if assigned, mitigations, and credits to reporters (with permission).
• We may share reports with FDA, CISA, or HSCC if they pose significant risks, without revealing reporter details unless authorized. As an active member of ISAOs such as NH-ISAC and HSCC, HeartHero shares vulnerability information in accordance with our membership commitments, which supports proactive management and potential exemptions from reporting under 21 CFR 806 for qualifying remediations.

Feedback and Recognition

• We provide status updates every 14 days during investigation.
• Reporters may receive acknowledgments in advisories. There are no monetary rewards at this time, but we evaluate bug bounty programs annually.

Legal Safe Harbor

HeartHero will not pursue legal action against researchers who:

• Follow this policy in good faith.
• Do not violate laws (e.g., CFAA) or cause harm.
• Allow reasonable time for remediation before disclosure.

This safe harbor does not apply to malicious actions, such asexploiting vulnerabilities for gain or public disclosure without coordination.

We reserve the right to modify this policy; changes will be posted online.

Contact and Questions

• For questions or to report a vulnerability, contactsecurity@hearthero.com.
• For general inquiries: support@hearthero.com.

Thank you for helping us protect patients and improve cybersecurity!