Coordinated Disclosure Process Inspire Medical Systems, Inc.

Introduction

Inspire Medical Systems, Inc. (“Inspire”) is committed to ensuring the security and privacy of our products and systems and we encourage you to contact us to report potential vulnerabilities.

Guidelines

We ask that you please conduct security research and testing in a safe manner abiding by the following guidelines:

• Do not compromise public safety.

• Do not perform research or testing on products and/or systems that are currently being used, or will be used in the future, by patients or clinicians for active therapy delivery or management. 

• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems. 

• Comply with U.S. and local laws and regulations.

• Do not download, export, or store Inspire’s data under any circumstances. 

• Do not cause any data privacy or intellectual property violations.

Specifically, the following activities are prohibited: 

• Denial of Service attacks against Inspire, its products, or any of its third-party providers;

• Social engineering or phishing to solicit login passwords or credentials from Inspire employees, contractors, or third-parties;

• Physical attacks against Inspire employees, offices, or data centers;

• Knowing distribution of any malware; and

• Using unsolicited bulk messaging (spam) to pursue any vulnerabilities.

Reporting a Vulnerability

Please submit potential security vulnerabilities or privacy issues to [email protected] encrypted using our PGP Public Key. If possible, please submit reports in English.

What we would like to see from you. To help us assess each security vulnerability or privacy issue appropriately, we request that your reports include:

• Your contact information so that we can follow up with you. 

• A technical description including as many of the following details as possible:

  • Product description including model numbers and serial numbers;

  • Network configuration details; and

  • Detailed description of the steps needed to reproduce including proof-of-concept code, screenshots, tools and techniques used, etc.

• An indication of whether you were able to access any Protected Health Information (PHI) or other Personally Identifiable Information (PII). 

  • Please do NOT include any PHI or other PII in your report.

• Details on previous or planned notification to any other parties and any intent to publicly disclose the issue, and any relevant timeline information. 

• Any information you have on whether the vulnerability is being actively exploited, or is known to others.

What you can expect from us. If you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

• Within 5 business days, we will acknowledge that your report has been received. 

• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about our risk assessment and any steps we are taking in response, including issues or challenges that may delay resolution. 

• We will maintain an open dialogue to discuss issues. 

Questions

Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.

Notice

This process is subject to change without notice and may be modified on a case-by-case basis.  In the case you decide to share any information with Inspire, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Inspire is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Inspire. This process does not make you an employee or contractor of Inspire.