Getinge Coordinated Vulnerability Disclosure Statement
Getinge is committed to ensuring that all people and societies have access to the best possible health care. The company supports its customers in meeting challenges in health care and life science by providing knowledge, technology and resources to achieve optimal clinical outcomes and, ultimately, to save lives.
Our customers, and ultimately in the end the patients, expect that Getinge’s products are of high quality, safe and secured against vulnerabilities that could affect the functioning of the products and the security, integrity and privacy of the information and data used by the products.
The security, integrity and privacy of the sensitive data of our customers, patients, and operators of our systems is profoundly embedded in our development processes. However, Getinge encourages customers to responsibly report any potential security and privacy vulnerabilities identified in our products and solutions.
Getinge maintains a product security page in order to provide contact details and information concerning the accurate procedures to test and report any vulnerabilities.
If you encounter any issue with our products which do not implicate security or privacy vulnerabilities, or if you encounter any other issue which might affect patient, user, or operator safety, please contact your local Sales & Service representative.
What You Should Do
When you discover a security or privacy vulnerability we appreciate if you could notify us by filling in this form. We appreciate if you provide all information in English and ask you to refrain from including sensitive information, such as patient data, in any screen shots or other attachments you provide to us.
What We Will Do
- We will send you a confirmation that we have received your report.
- Depending on the issue, we will evaluate the level of analyzis needed and make sure to search for the root cause of the vulnerability.
Responsible Security Testing
While we value your investigation efforts, please conduct testing in safe environments.
- NEVER perform security testing on devices actively in use! This includes devices that are in standby mode and might be actively used after your investigation. Please be aware that security testing might have side-effects on the product that are not directly visible. When in doubt, decommission the device please contact your local Sales & Service representative.
- For web-based systems, never perform analysis on production systems. Use a demo, test or configuration system instead.
- If you have found a vulnerability, use it only as reasonably necessary to demonstrate the vulnerability.
- Never make changes to systems that will be used after your testing. If you do decommission the product after making the change. Most vulnerabilities can be proven by read-only, non-modifying operations.
Coordinated Vulnerability Disclosure
We want to make sure that users of our systems are not exposed to unnecessary risks. If you plan to publicly disclose a potential vulnerability, please inform us of your plans. We encourage you to work with Getinge to coordinate or synchronize the public release of information.
If the vulnerability is verified, Getinge will give credit to the researcher reporting the vulnerability in the published security advisory, if requested.
Notice:
In case you decide to share any information with Getinge, you automatically agree that the information you submit will be considered as non-proprietary and non-confidential and that Getinge is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Getinge.