At Ä¢¹½´«Ã½, we prioritize the security of our products, solutions, and services for our valued customers, donors, and patients. OurÌýProduct Security TeamÌýactively collaborates with industry partners, including customers, cybersecurity researchers, and security vendors, to encourage early detection of cyber threats and enhance the security of our products. Across Ä¢¹½´«Ã½ verticals and value streams, we continuously strive to improve security and protect information throughout the product lifecycle. One way in which we do this is by collecting vulnerability reports through a formalÌýCoordinated Vulnerability Disclosure (CVD)Ìýprocess. We strongly believe in industry collaboration, which is essential to making our products secure by design with our partners, customers, the cyber security research community (researching and evaluating emerging threats), and security agencies and organizations, we appreciate the opportunity to work together.
We encourage vulnerability testing of Ä¢¹½´«Ã½ products and services by security researchers and customers who support responsible reporting to Ä¢¹½´«Ã½. We maintain a product security page with information on coordinated vulnerability disclosure, vulnerability reporting, and published vulnerability advisories. We are committed to ensuring that our medical devices, solutions, and services are cyber-secure and the systems operate securely to ensure patient safety and data privacy.
Reporting Pre-Requisites
Security researchers must comply with the following pre-requisites at all times:
Prompt Notification:ÌýIf you discover a real or potential cybersecurity issue, please notify us promptly.
Mitigation Efforts:ÌýMake every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and data manipulation or destruction.
Responsible Exploitation:ÌýWhen confirming a vulnerabilityÄ¢¹½´«Ã½™s presence, use exploits only to the extent necessary. Do not compromise or exfiltrate data, establish persistent command line access, or pivot to other systems.
Disclosure Timing:ÌýAllow us a reasonable amount of time to address the issue before disclosing it publicly.
We accept vulnerability reports via ourÌýCoordinated Vulnerability Disclosure formÌýon our website. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 7 business days.
We suggest operating in a manner consistent with existing cyber security standards, specifically regarding utilizing forms of encryption. For particularly sensitive information, submit through the HTTPS web form.
By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive future pay claims related to your submission against FreseniusÌýMedicalÌýCare.
Technical Description:ÌýInclude the following technical information:
Ìý
Side Effects Awareness:ÌýBe aware that security testing may have hidden effects on the product. If uncertain, please get in touch with FreseniusÌýMedicalÌýCare.
Responsible Use:ÌýOnly demonstrate the vulnerability as needed.
Contact Information:ÌýShare your contact details for further communication.
Patient Care Devices:ÌýDo not test devices actively used for patient care delivery, diagnostics, or monitoring.
Avoid Impact:ÌýRefrain from testing that could affect patients, donors, privacy, or equipment.
Scope Adherence:ÌýEngage in vulnerability testing within the scope of our disclosure program and agreements.
No Backdoors:ÌýDo not create backdoors in information systems; doing so can cause additional damage and unnecessary cybersecurity risks.
Patient Safety:ÌýEnsuring the security and safety of patients.
Legal Compliance:ÌýComplying with federal, territorial, state and local laws.
Information Protection:ÌýSafeguarding the confidentiality, integrity and availability (CIA) of information associated with Ä¢¹½´«Ã½ products.
Transparency:ÌýWe will confirm vulnerabilities to the best of our ability and maintain an open dialogue.
Privacy:ÌýYour name and contact information will remain confidential (if you want).
Feedback:ÌýQuestions or suggestions? Reach out to us at PSIRT@freseniusmedicalcare.com.
Please use this contact form to email us
The information you provide will only be used to answer your query. For more information on how we process your Personal Data please read ourÌýprivacy policy