Responsible Disclosure Process

Kestra Medical Technologies, Inc. (Kestra) is committed to providing safe and secure products to all users of our product systems, including patients and the healthcare delivery organizations who support them. Assuring the cybersecurity of our product systems is a critical part of our commitment. Kestra’s ISO 13485 Medical Device Quality Management System incorporates cybersecurity considerations throughout the product development process, beginning with the initial planning of a new product and continuing through its design, development, testing, and placement into service.

Kestra welcomes the opportunity to learn about potential product security vulnerabilities from reporters outside our organization, including all users of our product systems and outside researchers. Kestra takes appropriate action when we learn of vulnerabilities, whether identified by our own team or outside reporters.

How to Report a Potential Product Security Vulnerability Finding

Kestra maintains a system to triage and verify potential product security vulnerability findings and, as necessary, to appropriately respond to confirmed vulnerabilities. Please send any findings via secure email to Kestra’s product security team at: security@kestramedical.com. We request that those reporting findings provide the following information, if available:

1. Reporter’s name, organization, and contact information.

2. Details about the device(s) in which the potential vulnerability was identified, including model number(s), serial number(s), and software version number(s).

3. How the potential vulnerability was found.

4. Details that would help Kestra reproduce the issue, including as applicable:

   1. Network configuration

   2. Type of vulnerability (such as CVE or other information describing the issue)

   3. Steps to reproduce and/or proof of exploit code.

5. Plans you may have for public disclosure.

6. Please do not include any private or protected health information in your submission.

How Kestra Will Respond

1. Kestra will acknowledge your submission within 5 business days of its receipt.

2. We will provide a point of contact at Kestra to work with you to evaluate the finding.

3. If Kestra confirms the vulnerability you submitted, Kestra will determine its response to the vulnerability, and will discuss its planned response with you.

4. If you plan to publicize the finding, Kestra will collaborate with you to coordinate timing of the disclosure so the possibility of exploitation by hostile actors can be minimized.

QSP-00097-02_A