Coordinated Vulnerability Disclosure Policy

1. Introduction

Senseonics recognizes the important role played by researchers in the security community to promote secure design practices and security risk mitigation within the medical device industry. Other potential sources of reports include, but are not limited to customers, third party vendors, and others who may desire to report a vulnerability.  The purpose of this policy is to outline how Senseonics will accept vulnerability reports about its products. Senseonics will not engage in legal action against individuals who submit reports through our Coordinated Vulnerability Disclosure process and enter into a legal agreement with us.

2. Scope

The scope of this policy includes medical devices, software as a medical device, and mobile medical applications provided by Senseonics.

This policy is not intended to provide technical support, trouble-shooting, or other information about our products, or for reporting adverse events or product quality complaints. For technical and customer support regarding the Eversense CGM product itself, please email support@eversensediabetes.com.

3. How to Report a Vulnerability

To report a potential vulnerability, email security@eversensediabetes.com. Please include the required information in the email you send.  By submitting the email, you agree to abide by the rules outlined below, and you acknowledge that Senseonics (or its designees) may use any data or information you provide without restriction. Your submission does not grant you any rights under Senseonics’ intellectual property or create any obligations for Senseonics.

4. Reporting Requirements

Security researchers must adhere to the following prerequisites during the entirety of the research and disclosure process, including initial research and testing:

  • Comply with all applicable laws and regulations of your location and the location in which the Senseonics product is made available
  • Do not use a vulnerability to take action other than to prove its existence
  • Do not use a vulnerability to remove sensitive data from the product or create a backdoor within or introduce further vulnerability into a product for subsequent use
  • Never include sensitive data (e.g., identifiable patient data), within the body of the email, or within any attachments
  • Never engage in research or testing of products if there is any risk of patient harm, including rendering the device unable to be used by the patient
  • Never test products or network infrastructure in clinical or active environments where the products are being used for any type of patient care or monitoring, or if the products could inadvertently be used in such a way
  • Ensure you have obtained written permission from the owner of the Senseonics product in advance of any testing to ensure the scope is clear
  • Do not disclose details regarding the vulnerability to the public before a mutually agreed timeframe with Senseonics has expired
  • Do not operate outside the scope described in this document
  • Provide Senseonics with details of communication to regulatory organizations or other third parties about any discovered vulnerability, without delay
  • All information you submit is considered non-proprietary and non-confidential.

5. Preference, Prioritization, and Acceptance Criteria

In your report, we request and expect the following:

  • Reports should be written in English.
  • Essential details, including location of product, exact model and serial number, software revision, method used to obtain the system.
  • Proof-of-concept code to better equip us to triage.
  • All information regarding how you discovered the vulnerability, the impact, and any potential remediation.
  • Any intention for public disclosure

Note:  Reports that only include automated tool output such as crash dumps may receive lower priority.

What you may expect from Senseonics:

  • Acknowledgement of your message within five (5) business days
  • During the initial assessment and triage, a member of the Senseonics Security Incident Response Team may contact you for:
    • Additional information
    • Communication of expected process and timeline or
    • Notify you that the reported vulnerability is not accepted into the program due to not meeting program requirements or providing enough detail
  • Once sufficient information has been collected, and the report has been accepted, Senseonics will:
    • Investigate with relevant members of the Security Incident Response Team
    • Communicate with you when the vulnerability analysis has completed each stage of review.
    • Credit you after the vulnerability has been validated and resolved, if you so desire
  • If the vulnerability is confirmed and Senseonics deems it to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action.
  • When necessary, Senseonics may request a neutral third party to assist in resolution of the inquiry.

Note:  All aspects of this policy are subject to change without notice, as well as for case-by-case exceptions.

REF-0517 Rev2