User Profile
Select your user profile
Diagnostics Product Cyber Security

Vulnerability & Incident Handling

Introduction

Roche Diagnostics has mechanisms in place to identify and address vulnerabilities in its products and respond to the requirements of its customers and patients as well as authorities. This page describes Roche Diagnostics’ approach for receiving reports related to potential cyber security vulnerabilities in its products and the company’s standard practice for informing customers and other required stakeholders of verified vulnerabilities.

Roche Diagnostics has been authorized by the CVE Program as a CVE Numbering Authority (CNA).

How to Report (Roche customers)

If you are / represent a customer of Roche, please inform your responsible local Roche Diagnostics affiliate about product issues, including any potential cyber security vulnerabilities, to ensure proper complaint handling and processing in accordance with your service contract.

How to Report (Security Researchers and other vulnerability finders)

If you want to report a potential cyber security vulnerability in a Roche Diagnostics product and/or service please contact us at [email protected].

What details we need

To help us to address the Cyber Security issue efficiently, please provide the following details in your initial notification via email:

  • Your contact details
  • Preferred method of secure communication (e.g., PGP Key-ID and PGP fingerprint, etc.)
  • Vulnerability finding date, time and location
  • A list of Roche products potentially affected

As soon as we have established a secure communication channel (encrypted / signed via PGP), please provide the following details to enable fast response:

  • Technical details about your finding(s)
  • Steps to reproduce the issue
  • If available: Proof of concept exploit code
  • If applicable: Observed exploitation / observed impact / Indicators that the vulnerability may actively be exploited

Please do not include any protected health information, patient information, or other protected data when you provide details in your initial notification or in any follow-up correspondence. Please only include the information required for Roche Diagnostics to review and handle any potential cyber security issue (e.g., a potential vulnerability or breach).

Please note that by submitting this information, you agree that Roche Diagnostics may use and distribute the information as required, and you agree that the submission does not create any rights for you or create any obligations for Roche.

  • All submitted personal information will be handled in accordance with our privacy notice.

How Roche Diagnostics responds to a confirmed vulnerability

Once a vulnerability is confirmed, using the provided details, Roche will:

  1. Acknowledge the receipt of alleged vulnerability to the finder as soon as the information has been reviewed and assign a contact person.
  2. Assess the finding with the associated risks of affected product(s)
  3. Assign a CVE ID and publish a CVE record

Roche Diagnostics may also, in our discretion, distribute or issue advisories to Information Sharing and Analysis Organizations (ISAOs) and other information sharing communities, or publish such advisories on this and other defined websites.

On request, the finder of the issue will be acknowledged in such advisories.

Roche requests the finder to refrain from publishing the vulnerabilities until Roche has explicitly agreed to do so.