Product Vulnerability Disclosure Reporting

As part of Our Credo, we believe our first responsibility is to the doctors, nurses and patients, mothers and fathers and all others who use our products. The commitment to safety is part of our DNA, factoring into decisions and development of our products and services. With today’s evolving healthcare landscape, cybersecurity has become an integral part of our focus on safety.

The Johnson & Johnson Family of Companies recognize the valuable efforts that security researchers have played in highlighting cybersecurity vulnerabilities and concerns. To enable us to effectively partner with the research community and better leverage their findings, we are introducing our initial Coordinated Vulnerability Disclosure Process designed to promote collaboration and external party reporting of medical device vulnerabilities, outlined below.

Scope

The scope of our vulnerability reporting process includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications. It is not for technical support information on our products or for reporting Adverse Events or Product Quality Complaints. If you need to report one of these, please visit https://www.ccc-consumercarecenter.com.

How to Contact Us

If you have identified a potential security vulnerability or privacy issue with products from the Johnson & Johnson Family of Companies, please contact us by sending an email (in English) to productsecurity@its.jnj.com. Please use our PGP Public Key to encrypt your email submission! The Public Key can be found on PGP public key servers (keyserver.pgp.com) by the key id EC69B12DFF06A1CA.

Once we have received the message, appropriate personnel will contact you.

The productsecurity@its.jnj.com email address is intended only for the purposes of reporting security vulnerabilities or privacy issues in medical device products from the Johnson & Johnson Family of Companies.

What We Expect of You

We are willing to work in good faith with security researchers who test and submit vulnerabilities according to these guidelines:


  • Avoid impact to the safety or privacy of our customers, by altering a product that a patient uses or by releasing personal information on patients.

  • Avoid testing any of our products in clinical settings or being actively used by patients, as it could cause a device to malfunction. Additionally, do not use a device on patients or in a clinical setting if a device has been subjected to security testing.

  • Provide the name, version and configuration details of the affected product; a description of the vulnerability and the environment with which it was discovered; description of the specific impact and how you would envision it being used in an attack.

  • Comply with all laws and regulations in the course of your testing activities.

What You Can Expect

Once we have received a vulnerability submission, Johnson & Johnson will:


  • Within 10 business days, acknowledge receipt of the initial email.

  • Escalate the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.

  • Confirm the existence of the vulnerability and the potential impact. If the vulnerability impacts patient safety, we will work to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed according to the associated risk.


All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.


* By contacting us, you agree that the information you provide will be governed by our site’s “Privacy Policy” and “Legal Notice”