Your Role in Medtronic Product Security
We value the contributions of the security research community. If you believe you have identified a potential security vulnerability in one of our products or services, we want to know so we can investigate.
WHO TO CONTACT
Email firstname.lastname@example.org using our PGP public key to encrypt your message. We would prefer that your message be provided in English.
What Details to Provide
- Your contact information, including name(s), organization name, email address and phone number so we can follow up with you. We ask for contact information only to consult Medtronic records when addressing your submission. We never share your contact information.
- Technical description of the concern or vulnerability, including
- When, where and how it was discovered
- Which products/devices/systems it is impacting, including product numbers
- Whether you were able to access any protected health information or other personally-identifiable information about any user or the product or system in which you disclosed the vulnerability. Please do NOT include any protected health information or other personally-identifiable information about others in your email submission.
- Any additional information you think will be helpful to us, including details on the testing environment and tools used to conduct the testing
- Whether you have notified anyone else about the potential vulnerability, such as regulatory agencies, vendors, vulnerability coordinators, etc.
WHAT MEDTRONIC WILL DO
- Within five business days, Medtronic will confirm we have received your submission and give you the name of a contact person.
- We will notify the appropriate security engineers who may want to follow up with you to better understand what you’ve found, or to confirm technical details.
- We will investigate the potential vulnerability.
- We will conduct a risk analysis to determine appropriate action.
- Once determined, we will provide you with a summary of our findings.
- We may publicly acknowledge your contribution to improve the security of our products and services, subject to your agreement.
- We ask that you comply with all laws and regulations when conducting your research, and avoid actions that could harm products or people, such as brute force testing, tests on active devices, tests on software in production settings, actions taken to exploit any vulnerability, and actions that result in a change to a product or system after the test is conducted.
- If you have identified a security vulnerability in a Medtronic product and would prefer to disclose the matter directly to the regulatory agency rather than Medtronic, please contact the appropriate regulatory agency.
- We reserve the right to change any aspect of our coordinated disclosure process at any time without notice, and to make exceptions to it on a case by case basis.