Coordinated Vulnerability Disclosure
At bioMérieux, we take the security of our products and services seriously. We believe in the power of collaboration to ensure the safety and integrity of our systems.
We believe that by working together with the security community, we can maintain a high level of security and protect against potential threats. We are committed to resolving reported vulnerabilities in a timely manner and maintaining transparency as part of bioMérieux’s Vulnerability Disclosure Program (the “Disclosure Program”).
Objective
The purpose of this webpage is to describe bioMérieux’s policies governing the Disclosure Program (the “Policy”), including how to share vulnerability reports with bioMerieux in a secure manner and to provide communication expectations from the company.
Scope
This Policy applies to all bioMerieux commercial products and services, and covers individuals not affiliated with bioMérieux, such as cybersecurity researchers, who are conducting, or seek to conduct, good faith security testing or research on such commercial products or services.
bioMérieux reserves the right to limit, expand or discontinue the Disclosure Program at any time, as well as to discontinue any individual’s participation in the Disclosure Program at bioMérieux’s sole discretion.
Our expectations
In order to comply with this Policy, you agree to:
- Notify us as soon as possible after you discover a real or potential security issue.
- Make every effort to avoid disruption to bioMérieux systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability’s presence and that you will not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Not intentionally compromise the intellectual property or other commercial or financial interests of bioMérieux or any third parties.
How to submit a vulnerability report
To submit a vulnerability report, please ensure your report has all necessary content and that it is secured using the PGP encryption standards and the following PGP public key.
The encrypted reports must then be attached to an email sent by clicking HERE outlining the context of the report, product(s) the report was identified on, and contact information.
Please note that no form of financial compensation for vulnerability reporting will be made to you in exchange for your submission of a vulnerability report.
Preference, prioritization, and acceptance criteria
We will use the following criteria to prioritize and triage submissions.
What we expect from you:
- Well-written reports in English will result in a higher chance of resolution.
- Contact information to allow for status updates.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from us:
- A timely response to your email
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed.
- Disclosure plan.
- Credit after the vulnerability has been disclosed.
Where necessary, bioMérieux may request a neutral third party to assist in resolution of the inquiry.
Acknowledgment
By submitting a request, you acknowledge that bioMérieux may, at its sole discretion, use any data or information that you submit to bioMérieux under this Policy. Your submission does not grant you any rights under bioMérieux intellectual property or impose any obligations in your favor upon bioMérieux.
Authorization
If you make a good faith effort to comply with this Policy, bioMérieux will not recommend or pursue legal action against you in relation to your research or testing. Accordingly, we will not recommend or pursue legal action against you, provided that you:
- Engage in testing of systems/research without harming bioMérieux or its customers.
- Engage in vulnerability testing within the scope of this Policy.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to all laws applicable in your jurisdiction and in the jurisdictions in which bioMérieux does business.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.