DICOM Disclosure Policy

Introduction

DICOM is committed to supporting the security of the healthcare sector by ensuring the DICOM Standard is protected. This policy is intended to give security researchers clear guidelines to convey our preferences in how to submit potential DICOM vulnerabilities to us.

This policy describes what types of research are covered under this policy, how to send us vulnerability reports, and what to expect from our disclosure process.

We encourage you to contact us to report potential vulnerabilities in our systems.

Scope

Security researchers should only disclose potential vulnerabilities related to DICOM. Disclosures related to product problems should be directed to the product vendor. Disclosures related to deployment problems should be directed to the deployment site.

In the event a disclosure is not DICOM-specific, DICOM may make a best effort to re-direct security researchers to the proper disclosure channel as resources allow. However, non-DICOM disclosures will necessarily be deprioritized and closed as soon as possible.

Reporting a vulnerability

This section describes communication mechanisms and processes for submitting vulnerabilities. Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. We may share your report with Information Sharing Organizations, such as the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.

We accept vulnerability reports via dicom@dicomstandard.org. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive any future pay claims related to your submission.

What we would like to see from you

To help us prioritize submissions, we recommend that your reports:

  • Describe the section of the standard which contains the security vulnerability
  • Describe the potential impact of the vulnerability
  • Describe the process to exploit the vulnerability, if possible
  • Offer a detailed description of the steps needed to mitigate the risks (proof of concept scripts or screenshots are helpful).
  • Offer a suggested improvement to the standard
  • Be in English, if possible.

What you can expect from us

If you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

  • We will acknowledge that your report has been received.
  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss issues.

What we share with the public

DICOM has an open process for adding, correcting, and clarifying the DICOM standard.  The DICOM News (https://dicomstandard.org/news) is updated regularly to show all changes that are in progress or recently completed.  Changes to revise the standard for security related reasons are included in this process in the same way as any other change. 

Questions

Questions regarding this policy may be sent to dicom@dicomstandard.org. We also invite you to contact us with suggestions for improving this policy.