Coordinated Vulnerability Disclosure.
If you believe you've found a security vulnerability in a Blue Goat Cyber service - or in a medical device we support - we want to hear from you.
Submit a vulnerability report
Use this secure form to send the basics of your finding. For sensitive technical details, email [email protected] - we'll reply with a PGP key on request.
Our commitments to you
- • We will acknowledge your report within 3 business days.
- • We will work with you to understand and validate the issue.
- • We will not pursue legal action for good-faith research conducted under this policy.
- • We will credit you publicly once a fix is shipped, if you wish.
What to include in your report
- • Affected product, service, or URL.
- • Steps to reproduce, including any required configuration.
- • Impact you believe the issue could have.
- • Whether you've discussed it with anyone else.
Safe harbor & responsible disclosure
Please give us a reasonable time to investigate and remediate before disclosing publicly. Avoid privacy violations, service degradation, and destructive testing. Do not access or modify data belonging to others.
Reporting an issue in a customer's medical device?
We will coordinate with the device manufacturer and, where applicable, the FDA and CISA under accepted CVD practices.
Email our CVD teamStand up a CVD program in an afternoon.
Generate a §524B-aligned disclosure policy, then size your postmarket monitoring cadence.
Building or running a CVD program?
Coordinated Vulnerability Disclosure is one piece of a full postmarket cybersecurity program. We help manufacturers stand the rest up.
Postmarket cybersecurity services
Vulnerability monitoring, CVD intake, patch validation, and FDA reporting workflows.
Learn moreFDA-compliant SBOMs
SPDX/CycloneDX SBOMs with continuous CVE/KEV mapping - the foundation of any CVD program.
Learn moreLegacy medical device cybersecurity
Managing security for deployed devices that pre-date current FDA guidance.
Learn moreMedical device penetration testing
Independent testing to find issues before researchers report them through CVD.
Learn moreThreat modeling
Documented threat models that make incoming CVD reports faster to triage.
Learn moreAbout Blue Goat Cyber
SDVOSB medical device cybersecurity firm - 250+ FDA submissions and zero rejections.
Learn moreGet FDA cleared without the cybersecurity headaches.
30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.