Cybersecurity Coordinated Product Disclosure Program
Abbott is committed to protecting against potential vulnerabilities that could affect the integrity and security of our products and systems or the privacy of our patients and customers. The threat of cyberattacks to medical devices and other systems is constantly evolving. In response, we have proactively established a coordinated product disclosure program that is focused on reducing the cybersecurity risks from new and emerging threats, enabling us to continuously improve the security of our products.
We recognize the importance of incorporating cybersecurity considerations throughout our product development process. Our cross-functional Product Security Working Group includes representatives from product development, information security, information technology, and quality assurance. This working group functions as the steering committee for the program and helps us to further incorporate cybersecurity considerations across various aspects of the business, the product lifecycle, and our Quality Management System, including design controls and risk management.
We recognize the need to collaborate and partner with security researchers, patients and our customers to understand new vulnerabilities that may be present in our products.
The scope of our cybersecurity coordinated product disclosure reporting process includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications. It is not intended to provide technical support information on our products or for reporting Adverse Events or Product Quality Complaints.
If you have identified a potential security vulnerability or privacy issue with our products, please contact us by sending an email (in English) to firstname.lastname@example.org.
We ask that you please encrypt your email by utilizing our PGP Public key which can be found at pgp.mit.edu.
Key ID : D93CE52D
Key Server : pgp.mit.edu
Please provide the following relevant information in your submission. We ask that you please refrain from including sensitive information (e.g., patient information) in any documents provided to Abbott:
- All necessary contact information (contact names, organization name, tracking numbers, email addresses, phone numbers) so that we can get in touch with you.
- A technical description of the issue or vulnerability. This might include:
- Exact product description, including name and version/model numbers, configuration details, serial numbers, etc.
- Network configuration details (as appropriate)
- Conditions required to reproduce the issue.
- Information about the tools and techniques used to conduct the testing and any pertinent test configurations.
- Specific proof-of-concept or exploit code if applicable.
- Prior or intent of future notification to any other parties (vulnerability coordinators, regulatory entities, other impacted vendors, etc.) of the vulnerability providing any relevant details (tracking numbers, contact information, etc.).
- Information regarding intent to publicly disclose reported vulnerability information
- An indication if the vulnerability is being actively exploited, or is known to others.
What We Ask Of You
Please conduct testing in safe environments, adhering to the following guidelines.
- Never perform security testing on devices actively in use or on those systems that will be utilized for patient care delivery after your investigation.
- Never perform security testing on a device that is actively being utilized for patient care delivery, diagnostics or monitoring.
- Be aware that security testing may have side effects on the product that are not immediately apparent. When in doubt, decommission the device and contact Abbott.
- If you have identified a vulnerability, use it only as needed to demonstrate the vulnerability.
What You Can Expect
Upon submission of a vulnerability, Abbott:
- Will acknowledge receipt of the initial email within 5 business days.
- Will evaluate and validate the reported findings, working with the appropriate product teams for review and verification. You may be contacted to provide additional information during this stage.
If the vulnerability is confirmed, Abbott:
- Will evaluate the potential impact. We will identify and take appropriate action.
In the case you decide to share any information with Abbott, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Abbott is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Abbott.