Canopy has mechanisms in place to identify and address vulnerabilities in its products and respond to the requirements of its customers and patients as well as authorities. This page describes Canopy's approach for receiving reports related to potential cyber security vulnerabilities in its products and the company’s standard practice for informing customers and other required stakeholders of verified vulnerabilities.
How To Report
If you want to report a potential cyber security vulnerability in a Canopy product and/or service, please contact us at firstname.lastname@example.org.
Details We Need
To help us to address the Cyber Security issue efficiently, please provide the following details in your initial notification via email:
- Your contact details
- Preferred method of secure communication (e.g., PGP Key-ID and PGP fingerprint, Signal, etc.)
- Vulnerability finding date, time, and location
- A list of Canopy products potentially affected
As soon as we have established a secure communication channel, please provide the following details to enable fast response:
- Technical details about your finding(s)
- Steps to reproduce the issue
- If available: Proof of concept exploit code
- If applicable: Observed exploitation / observed impact / Indicators that the vulnerability may actively be exploited
Please do not include any confidential information when you provide details in your initial notification or in any follow-up correspondence. Please only include the information required for Canopy to review and handle any potential cyber security issue (e.g., a potential vulnerability or breach).
Please note that by submitting this information, you agree that Canopy may use and distribute the information as required, and you agree that the submission does not create any rights for you or create any obligations for Canopy.
All submitted personal information will be handled in accordance with our privacy notice.
How Canopy Responds to a Confirmed Vulnerability
Once a vulnerability is confirmed using the provided details, Canopy will:
- Acknowledge the receipt of alleged vulnerability to the finder as soon as the information has been reviewed and assign a contact person
- Assess the finding with the associated risks of affected product(s)
- When necessary, develop a resolution for the issue and notify the finder, affected customers, and relevant authorities
- Canopy may also, in our discretion, distribute or issue advisories to Information Sharing and Analysis Organizations (ISAOs) and other information sharing communities, or publish such advisories on this and other defined websites.
On request, the finder of the issue will be acknowledged in such advisories.
Canopy requests the finder to refrain from publishing the vulnerabilities until Canopy has explicitly agreed to do so.