Commitment to Security
Medtronic designs and manufactures our products to be as safe and secure as possible, yet accessible for the patients and physicians who depend on them. We believe that the therapeutic benefits of our products far outweigh any potential security risks.
Medtronic has a strong product security program that leverages internal and external security and medical device experts, rigorous development processes, and security current practices to enable the highest levels of security and usability.
We continuously monitor the ongoing security of our products and take appropriate action to address vulnerabilities that we discover, and those brought to our attention by others.
Coordinated Disclosure Process
We value the contributions of the security research community. If you believe you have identified a potential security vulnerability in one of our products or services, we want to know so we can investigate.
Who to Contact
Email firstname.lastname@example.org using our PGP public key to encrypt your message. We would prefer that your message be provided in English.
What Details to Provide
- Your contact information, including name(s), organization name, email address and phone number so we can follow up with you. We ask for contact information only to consult Medtronic records when addressing your submission. We never share your contact information.
- Technical description of the concern or vulnerability, including
- When, where and how it was discovered
- Which products/devices/systems it is impacting, including product numbers
- Whether you were able to access any personal health information or other personally identifiable information about any user of the product or system in which you discovered the vulnerability. Please do NOT include any personal health information or other personally identifiable information about others in your email submission.
- Any additional information you think will be helpful to us, including details on the testing environment and tools used to conduct the testing
- Whether you have notified anyone else about the potential vulnerability, such as regulatory agencies, vendors, vulnerability coordinators, etc.
What Medtronic Will Do
- Within five business days, Medtronic will confirm we have received your submission and give you the name of a contact person.
- We will notify the appropriate security engineers who may want to follow up with you to better understand what you’ve found, or to confirm technical details.
- We will investigate the potential vulnerability.
- We will conduct a risk analysis to determine appropriate action.
- Once determined, we will provide you with a summary of our findings.
- We may publicly acknowledge your contribution to improve the security of our products and services, subject to your agreement.
- We ask that you comply with all laws and regulations when conducting your research, and avoid actions that could harm products or people, such as brute force testing, tests on active devices, tests on software in production settings, actions taken to exploit any vulnerability, and actions that result in a change to a product or system after the test is conducted.
- We reserve the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case by case basis.