Details

Responsible Disclosure

Scope

The scope of our vulnerability reporting program covers Boston Scientific products that contain software and includes on-market medical devices, Software as a Medical Device, implants, capital equipment, and mobile medical applications.

This program is not intended to provide technical support information on our products or for reporting adverse events or product quality complaints. To report an adverse event or a product quality complaint, please contact Boston Scientific per customer support and services.

Vulnerability Disclosure Statement

Boston Scientific has an unwavering commitment to provide safe and secure products and has built a strong security program that is anchored in our Quality Management System. This system helps our organization reach the highest level of security through proactive monitoring and expedited responses when vulnerabilities are discovered.

How to Report a Potential Product Security Vulnerability

Boston Scientific has developed a process to receive potential product security vulnerabilities from external sources, to validate their existence, and to determine how best to respond to improve product security and safety. In this context, a vulnerability is a security weakness that the submitter believes can be exploited. Please e-mail potential product security vulnerabilities to the Boston Scientific Product Security team at [email protected]. As a reminder, do not submit any data that contains individually identifiable health information and if possible, please submit the information in English. Please provide the following in your email:

Contact information.
Clear description of the potential product security vulnerability that you have identified and the methods used to exploit it.
Detailed product information, including:
- Product name
- Model number
- Serial number or lot number
- Software version number
Information regarding the network configuration you used when identifying the potential product security vulnerability.
Proof-of-exploit code if available.
How you found the potential product security vulnerability and the potential impact.
Plans or intentions for public disclosure, and whether you have already communicated with a vulnerability coordinator (e.g., US Cybersecurity and Infrastructure Security Agency (CISA), US Health Information Sharing and Analysis Center (H-ISAC)) and their tracking number for this potential vulnerability if one was provided.

What you can expect from Boston Scientific

For submissions provided that are within the scope of this process:

We will acknowledge receiving your report within five (5) business days.
We will provide the name of a contact person at Boston Scientific for the reported issue.
After triage, Boston Scientific will send an expected assessment timeline and commit to being as transparent as possible about any remediation timelines as well as any issues or challenges that may extend the timelines.
Boston Scientific will attempt to recreate your results. We will communicate with you if we have any difficulties in that re-creation.
If confirmed to be a vulnerability, Boston Scientific will conduct a risk assessment of the vulnerability and discuss that assessment with you.
Boston Scientific will identify whether users need to implement compensating controls while a potential fix is being prepared and communicate that to our customers using our normal customer notification processes.
If Boston Scientific determines that externally released communications are warranted, we will work with you to coordinate release announcements so you may receive credit, if desired.

The process described here is not a guarantee, but rather a statement of Boston Scientific's intentions that is subject to change based on the circumstances of any situation.

If you have legal concerns about reporting vulnerabilities to Boston Scientific, please send an email to [email protected] informing Boston Scientific about your concerns prior to submitting any details through our product security reporting process.

Boston Scientific welcomes any research conducted and submitted in good faith, and in that regard please bear in mind:

Boston Scientific expects that the intent of your testing is not to cause harm to patients, customers, or Boston Scientific.
Our software is protected by license terms that prevent the public disclosure of proprietary information contained in Boston Scientific products. Please communicate with Boston Scientific first about your findings, so together we can work out a mutually agreed-upon disclosure plan.
You must adhere to the laws of the U.S. and your locality.
Never perform security testing on devices actively in use or on those devices that will be used for patient care delivery after your investigation.

By submitting information to Boston Scientific through this process, you are agreeing that submission of the information does not create any rights for you, that such information will be considered to be non-confidential and non-proprietary to you, and that Boston Scientific will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating you or in any other way obligating Boston Scientific.

Note that at this time, Boston Scientific does not have a bug bounty program in place.

Scope

Vulnerability Disclosure Statement

How to Report a Potential Product Security Vulnerability

Contact information.

Clear description of the potential product security vulnerability that you have identified and the methods used to exploit it.

Detailed product information, including:

Product name
Model number
Serial number or lot number
Software version number

Information regarding the network configuration you used when identifying the potential product security vulnerability.

Proof-of-exploit code if available.

How you found the potential product security vulnerability and the potential impact.

Plans or intentions for public disclosure, and whether you have already communicated with a vulnerability coordinator (e.g., US Cybersecurity and Infrastructure Security Agency (CISA), US Health Information Sharing and Analysis Center (H-ISAC)) and their tracking number for this potential vulnerability if one was provided.

What you can expect from Boston Scientific

For submissions provided that are within the scope of this process:

We will acknowledge receiving your report within five (5) business days.

We will provide the name of a contact person at Boston Scientific for the reported issue.

After triage, Boston Scientific will send an expected assessment timeline and commit to being as transparent as possible about any remediation timelines as well as any issues or challenges that may extend the timelines.

Boston Scientific will attempt to recreate your results. We will communicate with you if we have any difficulties in that re-creation.

If confirmed to be a vulnerability, Boston Scientific will conduct a risk assessment of the vulnerability and discuss that assessment with you.

Boston Scientific will identify whether users need to implement compensating controls while a potential fix is being prepared and communicate that to our customers using our normal customer notification processes.

If Boston Scientific determines that externally released communications are warranted, we will work with you to coordinate release announcements so you may receive credit, if desired.

The process described here is not a guarantee, but rather a statement of Boston Scientific's intentions that is subject to change based on the circumstances of any situation.

Boston Scientific welcomes any research conducted and submitted in good faith, and in that regard please bear in mind:

Boston Scientific expects that the intent of your testing is not to cause harm to patients, customers, or Boston Scientific.

Our software is protected by license terms that prevent the public disclosure of proprietary information contained in Boston Scientific products. Please communicate with Boston Scientific first about your findings, so together we can work out a mutually agreed-upon disclosure plan.

You must adhere to the laws of the U.S. and your locality.

Never perform security testing on devices actively in use or on those devices that will be used for patient care delivery after your investigation.

Note that at this time, Boston Scientific does not have a bug bounty program in place.