Product Security and Coordinated Vulnerability Disclosure
At Fresenius Medical Care, we prioritize the security of our products, solutions, and services for our valued customers, donors, and patients. Our Product Security Team actively collaborates with industry partners, including customers, cybersecurity researchers, and security vendors, to encourage early detection of cyber threats and enhance the security of our products. Across Fresenius Medical Care verticals and value streams, we continuously strive to improve security and protect information throughout the product lifecycle. One way in which we do this is by collecting vulnerability reports through a formal Coordinated Vulnerability Disclosure (CVD) process. We strongly believe in industry collaboration, which is essential to making our products secure by design with our partners, customers, the cyber security research community (researching and evaluating emerging threats), and security agencies and organizations, we appreciate the opportunity to work together.
We encourage vulnerability testing of Fresenius Medical Care products and services by security researchers and customers who support responsible reporting to Fresenius Medical Care. We maintain a product security page with information on coordinated vulnerability disclosure, vulnerability reporting, and published vulnerability advisories. We are committed to ensuring that our medical devices, solutions, and services are cyber-secure and the systems operate securely to ensure patient safety and data privacy.
Reporting Pre-Requisites
Security researchers must comply with the following pre-requisites at all times:
- Ensure that actions do not put patient safety and sensitive data at risk
- Comply with all applicable laws and regulations of your location and Fresenius Medical Care locations
- Do not publicly disclose the vulnerability details
Prompt Notification: If you discover a real or potential cybersecurity issue, please notify us promptly.
Mitigation Efforts: Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and data manipulation or destruction.
Responsible Exploitation: When confirming a vulnerability’s presence, use exploits only to the extent necessary. Do not compromise or exfiltrate data, establish persistent command line access, or pivot to other systems.
Disclosure Timing: Allow us a reasonable amount of time to address the issue before disclosing it publicly.
Reporting a Vulnerability
We accept vulnerability reports via our Coordinated Vulnerability Disclosure form on our website. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 7 business days.
We suggest operating in a manner consistent with existing cyber security standards, specifically regarding utilizing forms of encryption. For particularly sensitive information, submit through the HTTPS web form.
By submitting a vulnerability, you acknowledge that you have no expectation of payment and that you expressly waive future pay claims related to your submission against Fresenius Medical Care.
What We Require From You
Technical Description: Include the following technical information:
- Specific product tested (product name and version number).
- Technical infrastructure tested (operating system, version, network configuration details, and any relevant information).
- For web-based services, provide date, time, URLs, browser type, version, and input used.
- Submit in English: If possible, submit your disclosure in English.
Side Effects Awareness: Be aware that security testing may have hidden effects on the product. If uncertain, please get in touch with Fresenius Medical Care.
Responsible Use: Only demonstrate the vulnerability as needed.
Contact Information: Share your contact details for further communication.
Our Requirements
Patient Care Devices: Do not test devices actively used for patient care delivery, diagnostics, or monitoring.
Avoid Impact: Refrain from testing that could affect patients, donors, privacy, or equipment.
Scope Adherence: Engage in vulnerability testing within the scope of our disclosure program and agreements.
No Backdoors: Do not create backdoors in information systems; doing so can cause additional damage and unnecessary cybersecurity risks.
Our commitment includes
Patient Safety: Ensuring the security and safety of patients.
Legal Compliance: Complying with federal, territorial, state and local laws.
Information Protection: Safeguarding the confidentiality, integrity and availability (CIA) of information associated with Fresenius Medical Care products.
What we offer
Transparency: We will confirm vulnerabilities to the best of our ability and maintain an open dialogue.
Privacy: Your name and contact information will remain confidential (if you want).
Feedback: Questions or suggestions? Reach out to us at PSIRT@freseniusmedicalcare.com.
Please use this contact form to email us
The information you provide will only be used to answer your query. For more information on how we process your Personal Data please read our privacy policy