Roche Diagnostics has mechanisms in place to identify and address vulnerabilities in its products and respond to the requirements of its customers and patients as well as authorities. This page describes Roche Diagnostics’ approach for receiving reports related to potential cyber security vulnerabilities in its products and the company’s standard practice for informing customers and other required stakeholders of verified vulnerabilities.
Roche Diagnostics has been authorized by the CVE Program as a CVE Numbering Authority (CNA).
If you are / represent a customer of Roche, please inform your responsible local Roche Diagnostics affiliate about product issues, including any potential cyber security vulnerabilities, to ensure proper complaint handling and processing in accordance with your service contract.
If you want to report a potential cyber security vulnerability in a Roche Diagnostics product and/or service please contact us at [email protected].
To help us to address the Cyber Security issue efficiently, please provide the following details in your initial notification via email:
As soon as we have established a secure communication channel (encrypted / signed via PGP), please provide the following details to enable fast response:
Please do not include any protected health information, patient information, or other protected data when you provide details in your initial notification or in any follow-up correspondence. Please only include the information required for Roche Diagnostics to review and handle any potential cyber security issue (e.g., a potential vulnerability or breach).
Please note that by submitting this information, you agree that Roche Diagnostics may use and distribute the information as required, and you agree that the submission does not create any rights for you or create any obligations for Roche.
Once a vulnerability is confirmed, using the provided details, Roche will:
Roche Diagnostics may also, in our discretion, distribute or issue advisories to Information Sharing and Analysis Organizations (ISAOs) and other information sharing communities, or publish such advisories on this and other defined websites.
On request, the finder of the issue will be acknowledged in such advisories.
Roche requests the finder to refrain from publishing the vulnerabilities until Roche has explicitly agreed to do so.