Ä¢¹½´«Ã½

Country websites

Product Security and Coordinated Vulnerability Disclosure

At Ä¢¹½´«Ã½, we prioritize the security of our products, solutions, and services for our valued customers, donors, and patients. OurÌýProduct Security TeamÌýactively collaborates with industry partners, including customers, cybersecurity researchers, and security vendors, to encourage early detection of cyber threats and enhance the security of our products. Across Ä¢¹½´«Ã½ verticals and value streams, we continuously strive to improve security and protect information throughout the product lifecycle. One way in which we do this is by collecting vulnerability reports through a formalÌýCoordinated Vulnerability Disclosure (CVD)Ìýprocess. We strongly believe in industry collaboration, which is essential to making our products secure by design with our partners, customers, the cyber security research community (researching and evaluating emerging threats), and security agencies and organizations, we appreciate the opportunity to work together.

We encourage vulnerability testing of Ä¢¹½´«Ã½ products and services by security researchers and customers who support responsible reporting to Ä¢¹½´«Ã½. We maintain a product security page with information on coordinated vulnerability disclosure, vulnerability reporting, and published vulnerability advisories. We are committed to ensuring that our medical devices, solutions, and services are cyber-secure and the systems operate securely to ensure patient safety and data privacy.

Reporting Pre-Requisites

Security researchers must comply with the following pre-requisites at all times:

  • Ensure that actions do not put patient safety and sensitive data at risk
  • Comply with all applicable laws and regulations of your location and Ä¢¹½´«Ã½ locations
  • Do not publicly disclose the vulnerability details

Submit a Report

Security Advisories

Prompt Notification:ÌýIf you discover a real or potential cybersecurity issue, please notify us promptly.
Mitigation Efforts:ÌýMake every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and data manipulation or destruction.
Responsible Exploitation:ÌýWhen confirming a vulnerabilityÄ¢¹½´«Ã½™s presence, use exploits only to the extent necessary. Do not compromise or exfiltrate data, establish persistent command line access, or pivot to other systems.
Disclosure Timing:ÌýAllow us a reasonable amount of time to address the issue before disclosing it publicly.

Reporting a Vulnerability

We accept vulnerability reports via ourÌýCoordinated Vulnerability Disclosure formÌýon our website. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 7 business days.

We suggest operating in a manner consistent with existing cyber security standards, specifically regarding utilizing forms of encryption. For particularly sensitive information, submit through the HTTPS web form.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive future pay claims related to your submission against FreseniusÌýMedicalÌýCare.

What We Require From You

Technical Description:ÌýInclude the following technical information:

  • Specific product tested (product name and version number).
  • Technical infrastructure tested (operating system, version, network configuration details, and any relevant information).
  • For web-based services, provide date, time, URLs, browser type, version, and input used.
  • Submit in English: If possible, submit your disclosure in English.

Ìý

Side Effects Awareness:ÌýBe aware that security testing may have hidden effects on the product. If uncertain, please get in touch with FreseniusÌýMedicalÌýCare.
Responsible Use:ÌýOnly demonstrate the vulnerability as needed.
Contact Information:ÌýShare your contact details for further communication.

Our Requirements

Patient Care Devices:ÌýDo not test devices actively used for patient care delivery, diagnostics, or monitoring.
Avoid Impact:ÌýRefrain from testing that could affect patients, donors, privacy, or equipment.
Scope Adherence:ÌýEngage in vulnerability testing within the scope of our disclosure program and agreements.
No Backdoors:ÌýDo not create backdoors in information systems; doing so can cause additional damage and unnecessary cybersecurity risks.

Our commitment includes

Patient Safety:ÌýEnsuring the security and safety of patients.
Legal Compliance:ÌýComplying with federal, territorial, state and local laws.
Information Protection:ÌýSafeguarding the confidentiality, integrity and availability (CIA) of information associated with Ä¢¹½´«Ã½ products.

What we offer

Transparency:ÌýWe will confirm vulnerabilities to the best of our ability and maintain an open dialogue.
Privacy:ÌýYour name and contact information will remain confidential (if you want).
Feedback:ÌýQuestions or suggestions? Reach out to us at PSIRT@freseniusmedicalcare.com.

Submit a report.

Please use the form provided below to submit a vulnerability report related to potential cybersecurity vulnerabilities in FreseniusÌýMedicalÌýCare-supported software, firmware products, or devices. FreseniusÌýMedicalÌýCare is committed to promptly reviewing and responding to reports of possible security vulnerabilities.

Contact Information:Ìý FreseniusÌýMedicalÌýCare is committed to ensuring the security of patients and customers who use our products and services. You can access the vulnerability report form directly on our website. Feel free to reach out if you have any further questions or need assistance. Remember, your contribution helps enhance the security of FreseniusÌýMedicalÌýCare products and protect users. We appreciate your diligence.

Vulnerability Report

Please use this contact form to email us

The information you provide will only be used to answer your query. For more information on how we process your Personal Data please read ourÌýprivacy policy