Vulnerability Disclosure Statement
Boston Scientific Corporation is dedicated to transforming lives through innovative medical solutions that improve the health of patients around the world. We have an unwavering commitment to provide safe and secure products and services.
Boston Scientific has built a strong product security program that is anchored in our Quality Management System. This helps us achieve our goal of Security by Design in our products and services. We have assembled an internal team of security experts, and partner with external experts and key members of our customer community to increase our assurance that a complete set of security requirements are implemented while balanced with the clinical usability of the device. For our most safety critical products, we have been using a comprehensive security risk management process for more than a decade.
We proactively monitor our products after they are put in service and respond, as appropriate when we learn of vulnerabilities either internally or from sources outside of Boston Scientific.
How to Report a Potential Product Security Vulnerability
Boston Scientific has developed a process to receive potential product security vulnerabilities from external sources in order to validate their existence and determine how best to respond to improve product security and safety. Please e-mail potential product security vulnerabilities to the Boston Scientific Product Security team at firstname.lastname@example.org using Boston Scientific's PGP Public Key to encrypt the email and any attachments.
- Do not submit any data that contains individually identifiable health information.
- Use our PGP Public Key to encrypt all communications regarding the potential product security vulnerability.
- Provide detailed information to contact you and ideally a PGP key or other secure means to communicate.
- Provide clear descriptions of the potential product security vulnerability you have identified and the methods used to exploit it.
- Identify as much specific product information as possible – the product name, model number, serial number, software version number, etc.
- Provide any information regarding the network configuration you used when identifying the potential product security vulnerability.
- If the vulnerability you are reporting is on a Boston Scientific external facing website, please provide:
- Target website
- Type of vulnerability (SQLi, XSS, CSRF)
- Specific vulnerability URL
- Steps to reproduce (detailed)
- Suggested means to remediate, if known
- HTTP / GET request
- Provide proof-of‐exploit code if you have that, encrypted with our PGP Public Key identified above.
- Describe how you found the potential product security vulnerability, and the potential impact.
- Please include any plans or intentions for public disclosure, and whether you have already communicated with a vulnerability coordinator (e.g. ICS-CERT, CERT/CC, NH-ISAC, NCSC or others) and their tracking number for this potential vulnerability if one was provided.
What you can expect from Boston Scientific
- We will acknowledge receiving your report within two business days for our regulated medical device products, and within five business days for Enterprise IT systems.
- If your report is for a Boston Scientific product:
- We will provide the name of a contact person at Boston Scientific for the reported issue.
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as any issues or challenges that may extend the timeline.
- We will direct the information to the appropriate business unit who will attempt to recreate your results. We will communicate with you if we have any difficulties in that re-creation.
- If confirmed, we will conduct a risk assessment of the vulnerability and discuss that assessment with you.
- We will identify whether users need to implement compensating controls while a fix is being prepared and communicate that using our normal customer notification processes.
- If the issue warrants externally released communications, we will coordinate release announcements with you so when the fix is released, you may receive credit, if desired.
The process described here is not a guarantee, rather a statement of Boston Scientific’s intentions that is subject to change based on the circumstances of any particular situation.
If you have legal concerns about reporting vulnerabilities to Boston Scientific, please send encrypted email to the link above to let us know about your concerns prior to submitting any details through our product security reporting process. We welcome any research conducted and submitted in good faith, and in that regards please bear in mind:
- We expect that the intent of your testing is not to cause commercial harm to Boston Scientific or to cause damage to Boston Scientific’s customers or patients
- Our software is protected by license terms that prevent the public disclosure of proprietary information contained in our products (meaning, you need to come to us first with your findings so we can work out a mutually agreed-upon disclosure plan)
- You must adhere to the laws of the U.S. and your locality
- You may not test products and then use those products on patients after testing is completed
By submitting information to BSC through this process, you are agreeing that submission of the information does not create any rights for you, that such information will be considered to be non-confidential and non-proprietary to you, and that BSC will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating you or in any other way obligating Boston Scientific.
Note that at this time, Boston Scientific does not have a bug bounty program in place.
This document Revision AB was created 18 September 2019.