Our Commitment to Product Security

At Johnson & Johnson, nothing is more important than the security and safety of our products and the patients they serve. Johnson & Johnson MedTech places security in the highest regard when designing and manufacturing our products. The Product Security team at Johnson & Johnson MedTech is continuously striving to work with our designers and outside security researchers to continuously improve the security of our products. We are proud to work with the best security professionals in the industry to enhance our product offerings and customer experience with our new and improved coordinated vulnerability disclosure process and customer portal.

Purpose and Scope

The scope of vulnerability reporting on this site includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications. It is not for technical support information or for reporting Adverse Events or Product Quality Complaints. If you need to report something other than a vulnerability, then please navigate to Contact Us.

This site also provides security information for customers via a portal. The security information pertains to Medical Devices with embedded OS, Software as a Medical Device, and Mobile Medical Applications. To gain access to the portal you will need to register for an account via the “Request Account” button at the bottom of this page.

Expectations of you and us

We are willing to work in good faith with security researchers who test and submit vulnerabilities according to the following guidelines:

Avoid impact to the safety or privacy of our customers by altering a product that a patient uses or by releasing personal information on patients
Avoid testing any products in clinical settings or being actively used by patients as it could cause a device to malfunction. Additionally, do not use a device on patients or in a clinical setting if the device has been subjected to security testing.
Provide the following information when reporting a vulnerability
- Product name, version, and configuration details
- Description of vulnerability and environment which it was discovered
- Description of the impact and how you envision it being used in an attack
Comply with all laws and regulations during your testing activities.

You can expect us to:

Acknowledge receipt of the initial email within 10 business days
Escalate the potential findings to the appropriate product teams for review. You may be contacted to provide additional information at this stage
Confirm the existence of the vulnerability and potential impact. If the vulnerability impacts patient safety, we will work to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed according to the associated risk.

All aspects of this process are subject to change without notice as well as for case-by-case exceptions. No level of response is guaranteed.

Account Registration

Does your organization utilize Johnson & Johnson MedTech products? Register for a customer account to access security related information for our products by clicking the “Request Account” button.