Coordinated Vulnerability Disclosure
Fresenius is a global health care group with products and services for hospital and outpatient care. With over 190.000 employees in more than 100 countries and annual sales of more than 22 billion euros, Fresenius is one of the world´s leading health care companies. Connecting medical devices via the internet to hospital networks, mobile products, and other devices or hospital systems also introduces potential cyber security and patient safety risks that must be addressed.
The Fresenius Group is committed to ensuring the security of our products and services for customers, donors and patients. To us, this means:
- Protecting the security and safety of patients.
- Complying with federal, territorial, state, and local laws.
- Protecting the confidentiality, integrity, and availability (CIA) of information associated with Fresenius connected medical devices and information.
Across Fresenius business units we continuously strive to improve security and protect information throughout the product lifecycle. One way in which we do this is by collecting vulnerability reports through a formal CVD process.
At Fresenius, we believe industry collaboration is essential to making our products more secure by design. Whether our partners are customers managing the cyber security in their own environments, the cyber security research community helping us better research and evaluate emerging threats, or security vendors identifying practical security solutions, we appreciate the opportunity to work together.
We encourage vulnerability testing by security researchers and by customers, with responsible reporting to Fresenius. We maintain a product security page with information on coordinated vulnerability disclosure at Vulnerability Report Advisories.
What you can expect from us
-
We will confirm the existence of the vulnerability to the best of our ability and be as transparent as possible
-
We will maintain an open dialogue to discuss issues
-
We will not share your name or contact information without your permission
Questions
Questions regarding this policy may be sent to ProductSecurity@fresenius.com. We also invite you to contact us with suggestions for improving this policy.
Scope
This vulnerability disclosure program is:
- applicable to all products manufactured and sold by the Fresenius Group
- not applicable to Fresenius IT infrastructure including webpages
Guidelines
- Notify us as soon as possible following the discovery of a real or potential cyber security issue
- Make efforts to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
- Only use exploits to the extent required to confirm a vulnerability´s presence, without compromising or exfiltrating data, establishing persistent command line access, or using the exploit to pivot to other systems
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
Reporting a vulnerability
- we accept vulnerability reports via our Coordinated Vulnerability Disclosure form. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 7 business days.
- we suggest operating these programs in a manner consistent with existing cyber security standards, specifically in regards to utilizing forms of encryption (e.g., hashing, PGP encrypted email). For paticulary sensitive information, submit trough out HTTPS web form.
- By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive future pay claims against Fresenius related to your submission.
What we need from you
To help us triage and prioritize submissions, we recommend that your reports:
- Describe the situation the vulnerability was discovered and the potential impact of exploitation.
- Provide a technical description of the potential vulnerability, including:
- Available information on which specific product you tested, including product name and version number; the technical infrastructure tested, including operating system and version; and any relevant additional information, such as network configuration details or proof of concept.
- For web-based services, provide the date and time of testing, URLs, the browser type and version, as well as the input provided to the application.
- Submit disclosure in English, if possible.
- Be aware that security testing may have side effects on the product that are not apparent. When in doubt, decommission the device and contact Fresenius.
- Use a vulnerability only as needed to demonstrate it if identified.
- Submit contact information for further exchange and communication.
Likewise, we require that you:
- Never perform security testing on devices actively being utilized for patient care delivery, diagnostics or monitoring, or on those systems that will be utilized for patient care delivery after your investigation.
- Avoid testing that could impact patients and donors, cause a privacy issue, or damage equipment.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of agreements entered between Fresenius and individuals.
- Never build your own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damage and create unnecessary cyber security risks.