Coordinated Vulnerability Disclosure Policy

Cala Health, Inc.
Version 1.0

Effective Date: October 9, 2025

1. Introduction

At Cala Health, Inc. (Cala Health, we), the safety, security, and privacy of our patients and users is our highest priority. As a developer and manufacturer of FDA-regulated Class II medical devices — including a wrist-worn neuromodulation device for managing essential tremor (ET) and Parkinson’s disease (PD) — we are committed to maintaining robust cybersecurity throughout the lifecycle of our products.

This Coordinated Vulnerability Disclosure (CVD) Policy outlines our approach to receiving, evaluating, and addressing cybersecurity vulnerabilities in our products and systems.

This CVD policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

2. Scope

This policy applies to Cala products and systems and potential vulnerabilities.

This policy excludes these systems and devices from its scope, and those listed below are not authorized for testing:

  • Vulnerabilities found in third-party platforms or products not developed or maintained by Cala Health.
  • Legacy products no longer supported and marked end-of-life
  • Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing.

Vulnerabilities found in systems from our vendors should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@calahealth.com.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

3. Guidelines

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue.
  • Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

4. Our Commitment to Researchers

We believe that security researchers, ethical hackers, and the broader cybersecurity community are essential allies in keeping our devices secure. We are committed to:

  • Working in good faith with researchers
  • Acknowledging receipt of vulnerability reports within seven calendar days
  • Providing status updates throughout the investigation and remediation process

5. How to Report a Vulnerability

For submitting a report, follow the instructions in the link provided below:

calahealth.com/security-report

6. Responsible Disclosure Guidelines

We ask that you:

  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
  • Do not access, modify, or delete patient data or any personal information
  • Do not perform denial-of-service (DoS) testing or other tests that impair access to or damage a system or data
  • Do not conduct physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
  • Provide us a reasonable amount of time (typically 90 days) to resolve the issue before publicly disclosing it
  • We may request extensions or accelerated coordination depending on risk severity and patch readiness

We will coordinate with you regarding the timing and content of any public disclosure.

7. Vulnerability Handling and Remediation Process

Upon receiving a report, Cala Health will:

  1. Acknowledge the report within seven calendar days
  2. Assess severity with our internal engineering, QA, and cybersecurity teams
  3. Develop and validate a mitigation or remediation patch as appropriate
  4. Notify affected users and regulatory bodies (e.g., FDA, HHS, ICS-CERT) as required
  5. Publicly disclose the vulnerability and remediation, if appropriate

8. Recognition and Credit

With your consent, we may publicly acknowledge your contribution in our Security Hall of Fame or release notes. We do not offer monetary bounties at this time.

9. Legal Safe Harbor

Cala Health Inc. supports legal safe harbor for cybersecurity research and will not pursue legal action against good-faith researchers who comply with this policy during your security research. Activities of research that is compliant to this policy will be considered authorized and Cala Health will collaborate to understand and resolve the issue quickly.

Examples of compliance to the policy include, but are not limited to:

  • Report vulnerabilities to us as outlined here
  • Avoid harm to patient safety or privacy
  • Avoid accessing personal data
  • Refrain from publicly disclosing the issue without coordinated approval

This policy aligns with guidance from FDA’s Postmarket Cybersecurity for Medical Devices and ISO/IEC 29147 Information Technology – Security Techniques – Vulnerability Disclosure

10. Contact Us

If you have any questions about this policy or are unsure whether your research falls within scope, please contact us at:

security@calahealth.com