In order to ensure the security of the medical systems including medical devices and medical applications provided by Canon Medical Systems Corporation (hereinafter referred to as "our company"), and to protect customers from cyber attacks, we have developed products based on the "Information Security Early Warning Partnership Guidelines^*1." We will disclose information regarding vulnerabilities through the following process.

1. Vulnerability monitoring
2. Vulnerability risk assessment
3. Disclosure of vulnerabilities (publication of security advisories)

---

We regularly apply vulnerability scanning tools to detect vulnerabilities. We also regularly check for vulnerabilities posted on the website of the Information-technology Promotion Agency, Japan. We collect information on product vulnerabilities from external security researchers. We have set up a website for reporting vulnerabilities related to our products and are collecting information widely. Please contact us with any information regarding product vulnerabilities via the Product Security Information Vulnerability Report (form) on our website.The report form is encrypted using SSL/TLS. After you contact us using the report form, we will communicate with you via email. If your email or attachment contains sensitive information about undisclosed vulnerabilities, we ask that you cooperate by encrypting your email to prevent unintended disclosure of the information to third parties.

---

We use threat information provided by the US Health-ISAC (Health Information Sharing and Analysis Center) to conduct risk assessments of detected vulnerabilities. In risk assessments, we evaluate the possibility that the vulnerability in question will be exploited in our products, the degree of harm if the vulnerability is exploited, and whether there is a threat of exploiting the vulnerability. This assessment is quantitatively evaluated using the Common Vulnerability Scoring System as a reference.

We assess the exploitability of vulnerabilities collected through vulnerability monitoring. For those vulnerabilities that are determined to be exploitable, the product design and development department will assess the degree of harm, risk mitigation measures, and threat severity of the vulnerability and make a comprehensive assessment of the vulnerability. If we determine that a fix or countermeasure is required based on the comprehensive assessment, we will process the issue as a complaint within our company and disclose the vulnerability.

We also disclose vulnerabilities when a threat that may affect our products is reported and is deemed to be of high urgency.

---

We will post information about vulnerabilities on our website, including an overview of the vulnerabilities, the potential harm caused if the vulnerabilities are exploited, and measures to reduce the risk of the vulnerabilities being exploited. We will provide information about security patches that resolve the vulnerabilities or security risk mitigation measures within three months at the latest.

When we identify vulnerabilities related to our products, we will collaborate with the Information-technology Promotion Agency (IPA) or the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) to conduct cooperative vulnerability disclosure. If it becomes necessary to issue a CVE/CWE number, we will issue a CVE/CWE number via JPCERT/CC, and after coordinating the publication date with the reporter and other related parties, we will publish the security advisory on our website. Once a CVE number/CWE number is issued, the information will be provided to CERTs in each country outside of Japan via JPCERT.

In addition, we will report the vulnerability to JPCERT/CC and overseas CERTs as necessary at the same time as the disclosure. Based on the Information Security Early Warning Partnership Guidelines, in principle, we will not disclose information about vulnerabilities before disclosure to third parties other than the reporter, the coordinating organization, and the product developer.

If you would like to apply a security patch that resolves the vulnerability, please contact your nearest our company branch office or service center. For our company products that have a maintenance contract for product security, security patches will be applied according to the plan.

If a customer requests a policy, we will provide this policy as a policy document.

*1 Information Security Early Warning Partnership Guidelines (issued by IPA)