Roche Diagnostics has mechanisms in place to identify and address vulnerabilities in its products and respond to the requirements of its customers and patients as well as authorities. This page describes Roche Diagnostics’ approach for receiving reports related to potential cybersecurity vulnerabilities in its products and the company’s standard practice for informing customers and other required stakeholders of verified vulnerabilities.
If you are or represent a customer of Roche, please inform the US Local Safety Officer about product issues, including any potential cybersecurity vulnerabilities, to ensure proper complaint handling and processing in accordance with your service contract.
If you want to report a potential cybersecurity vulnerability in a Roche Diagnostics product and/or service, please contact us at [email protected].
To help us to address the cybersecurity issue efficiently, please provide the following details in your initial notification via email:
As soon as we have established a secure communication channel (encrypted/signed via PGP), please provide the following details to enable a fast response:
Please do not include any protected health information, patient information, or other protected data when you provide details in your initial notification or in any follow-up correspondence. Please only include the information required for Roche Diagnostics to review and handle any potential cybersecurity issue (e.g., a potential vulnerability or breach).
Please note that by submitting this information, you agree that Roche Diagnostics may use and distribute the information as required, and you agree that the submission does not create any rights for you or create any obligations for Roche.
All submitted personal information will be handled in accordance with our privacy notice.
Once a vulnerability is confirmed, using the provided details, Roche will:
Roche Diagnostics may also, in our discretion, distribute or issue advisories to Information Sharing and Analysis Organizations (ISAOs) and other information sharing communities, or publish such advisories on this and other defined websites.
On request, the finder of the issue will be acknowledged in such advisories.
Roche requests the finder to refrain from publishing the vulnerabilities until Roche has explicitly agreed to do so.