Product Security

Nyxoah is committed to ensuring the safety and security of patients, caregivers, operators, and customers who use our products and services.

We value contributions of the security research community. If you believe you have identified a potential security vulnerability in one of our products or services, we would like to know so we can investigate further. 

When submitting reports of a potential vulnerability finding, please ensure the following procedures are followed, for confidential delivery of communication and efficient support.

Contact Information

Email product.security@nyxoah.com using Nyxoah PGP public key to encrypt your message.

How to report a potential security vulnerability

  1. 1. Use our PGP (Pretty Good Privacy) Public Key to encrypt all communications regarding the potential product security vulnerability.
  2. 2. Include detailed information to contact you (email address, phone number, organization name) and preferably your PGP public key for secure communication. Nyxoah will never share your contact information without explicit consent.
  3. 3. Provide technical description of the security concern or vulnerability, including:
    1.     a) How and when it was discovered
    2.     b) Which products/devices/systems it is impacting, including name(s) and version number(s),
    3.     c) Whether you were able to access/compromise any protected health information or personally identifiable information about any user of the product/system. Please refrain from including any protected health information or personally identifiable information in this submission.
    4.     d) Any additional information you perceive to be helpful to us, such as testing environment, tools used to conduct the testing, specific assumptions, ways to reproduce the vulnerable behavior
  4. 4) Provide information regarding whether you have notified anyone else about the potential vulnerability, such as regulatory agencies, vendors, vulnerability coordinators, information sharing organizations, other security researchers, etc.

What to expect from Nyxoah

  1. 1. Nyxoah will acknowledge receiving your reporting within 5 business days.
  2. 2. Nyxoah will provide you a unique reference number for your report. 
  3. 3. Nyxoah will assign a contact person to each case who might reach out to you in case further communication is required for clear understanding of the potential vulnerability.
  4. 4. Nyxoah will keep you informed on the status of your report.
  5. 5. Nyxoah will route the issue to specific product security teams, which will take the following steps:
    1.     a) Verify the reported vulnerability
    2.     b) Assess whether the vulnerability is in a 3rd party component part of our product/service. Nyxoah will contact 3rd party with your vulnerability report and provide your contact information after seeking your consent.
    3.     c) If the issue is under Nyxoah purview, then the team will work on a resolution/mitigation.
    4.     d) Perform validation testing on the resolution.
    5.     e) Release the resolution.
  6. 6) In cases of a cybersecurity compromise or the availability of cybersecurity patches and upgrades for products, users will be notified via Nyxoah website and/or direct customer notifications.

Important Notes

  • - It is recommended that you comply with local laws and regulations while conducting your security research and avoid any actions that could harm products or users, such as exploiting a vulnerability in a product undergoing use.
  • - Nyxoah will provide full credit to researchers who submit a vulnerability report, in publicly released patch/security fix or communication, if requested by the researcher.
  • - The policy described here is not a guarantee, rather a statement of Nyxoah intentions that is subjected to change depending upon specific situation.
  • - As part of the coordinated vulnerability disclosure, Nyxoah encourages all security researchers to engage with Nyxoah on identifying the public release dates of the potential vulnerabilities, if it is planned. 
  • - By submitting this information to Nyxoah through this process, you are agreeing that submission of the information does not create any rights for you, that such information will be considered to be non-confidential and non-proprietary to you, and that Nyxoah will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating you or in any other way obligating Nyxoah.
  • - Currently, Nyxoah does not have a bug bounty program in place.