Product security and cybersecurity
Coordinated disclosure process
The coordinated disclosure process is an important part of our product security program. Contact us if you identify a potential security vulnerability.
Your role in Medtronic product security
We value the contributions of the security research community. If you believe you have identified a potential security vulnerability in one of our products or services, we want to know so we can investigate.
Who to contact:
Email security@medtronic.com using our PGP public key to encrypt your message. We would prefer that your message be provided in English.
What details to provide:
- Your contact information — including name, organization, email address, and phone number — so we can follow up with you. We ask for contact information only to consult Medtronic records when addressing your submission. We never share your contact information.
- Technical description of the concern or vulnerability, including:
- Method of discovery (when, where, how)
- Which products, devices, or systems are impacted, including software versions, if available
- Whether you were able to access any protected health information or personally identifiable information in the product or service (Note: Please avoid including any protected health information or personally identifiable information in your email submission.)
- Any additional information you think will be helpful to us, including details on the testing environment and tools used to discover the vulnerability
- Whether you have notified anyone else about the potential vulnerability, such as regulatory agencies, vendors, or vulnerability coordinators.
What Medtronic will do:
- Within five business days, Medtronic will confirm we have received your submission and provide you with a point of contact to work with.
- We will notify the appropriate security engineers who may want to follow up with you to better understand what you’ve found, or to confirm technical details.
- We will investigate the details in your report for potential impact across Medtronic products.
- We will conduct a risk assessment to determine appropriate action.
- Once we have completed our analysis, we will provide you with an update with a summary of actions.
- With your consent, we may publicly acknowledge your contribution to improving the security of our products and services.
Important information:
- We ask that you comply with all laws and regulations when conducting your research. Do not test on devices that you do not own or have explicit permission to test.
- Please avoid actions that could harm any person or therapy delivered by a product such as testing on devices in clinical settings, testing on software in production environments, and any actions on devices that are actively in use.
- By submitting information, you agree that your submission will be governed by Medtronic’s privacy statement and terms of use.
- We reserve the right to make changes to our coordinated disclosure process at any time, and to make exceptions to it on a case-by-case basis.
Questions or concerns about security?
If you believe you have identified a potential security vulnerability in one of our products or services, please follow the coordinated disclosure process below.
- If you’re a patient, contact Medtronic Patient Services or your physician.
- If you have a technical security question, email security@medtronic.com.
- For shareholder-related questions, email us.
- If you're a member of the media, email us.