Skip to main content

"We've detected that you're visiting from {0}. Would you like to switch languages for tailored content?"

->

Vulnerability disclosure process

Vulnerability disclosure statement How to report a vulnerability Reporting guidelines Reporting requirements Product security vulnerability assessment process
On this page...
Vulnerability disclosure statement
How to report a vulnerability
Reporting guidelines
Reporting requirements
Product security vulnerability assessment process
1. Vulnerability disclosure statement

Solventum prioritizes the safety and security of patients, operators, and customers using our products and services. We have a global network of product security officers dedicated to developing and deploying advanced security and privacy features, as well as managing security events. Our Product Security Office continuously monitors the evolving cybersecurity landscape in an effort to address vulnerabilities and protect patients through a coordinated disclosure process.

Operating under a global product security policy, Solventum guides incident management and risk assessment activities for potential security and privacy vulnerabilities. We support coordinated vulnerability disclosure and encourage responsible testing and reporting by security researchers and customers. If you believe you have identified a potential security vulnerability in one of our products or services, we want to know so we can investigate. Please follow the procedures outlined below when submitting vulnerability reports for efficient support.

For more information, visit our product security page at https://www.solventum.com/security.

2. How to report a vulnerability

Solventum has established a process to receive potential product security vulnerabilities from external sources. This process helps us validate the existence of vulnerabilities and determine the best response to enhance product security and safety. Please email any potential product security vulnerabilities to the Solventum Product Security team at cirt@solventum.com.

3. Reporting guidelines
  • Do not submit any data, screenshots or other attachments that contain individually identifiable health information or other sensitive personal information. 
  • Provide sufficient contact information, including your name, organization name, email address and phone number, so that we can get in touch with you. 
  • Please include any plans or intentions for public disclosure and whether you have already communicated with a vulnerability coordinator (e.g., ICS-CERT, CERT/CC, H-ISAC, NCSC, or others) and their tracking number for this potential vulnerability if one was provided. 
  • Clearly describe the potential product security vulnerability you have identified and the methods used to exploit it.
  • Identify as much specific product information as possible, including the product name, model number, serial number, software version number, etc.
  • Provide any information regarding the network configuration you used when identifying the potential product security vulnerability.
4. Reporting requirements

If the vulnerability you are reporting is on a Solventum external-facing website, please include:

  • Target website
  • Type of vulnerability (e.g., SQLi, XSS, CSRF, RCE, IDOR, Security Misconfigurations, Broken Authentications & Sessions management, Vulnerable 3rd party Components, Logging and Directory Traversal etc.)
  • Specific vulnerability URL
  • Detailed steps to reproduce vulnerability
  • Suggested means to remediate, if known
  • HTTP / GET request
  • Proof-of-exploit code, if available

Additionally, describe how you found the potential product security vulnerability and its potential impact. Please include any plans or intentions for public disclosure and whether you have already communicated with a vulnerability coordinator (e.g., ICS-CERT, CERT/CC, H-ISAC, NCSC, or others) and their tracking number for this potential vulnerability if one was provided.

5. Product security vulnerability assessment process
  1. Within five business days Solventum will acknowledge receiving your vulnerability submissions of our products & services.
  2. We will establish a Solventum contact person to the reporter.
  3. Our Product Security & External Threat team will investigate and inform relevant business units that own the product or services.
  4. If the vulnerability is in a third-party component of our product/service, we will notify the third party. Please let us know if we can share your contact information with them.
  5. If the reporter desired, Solventum will provide you with the status of your submission.
  6. Solventum will do the following:
    • Investigate and confirm the vulnerability.
    • If Solventum determines external communication is necessary, we will coordinate with you on containment and disclosures to customers and agencies. If you wish to be credited, your contribution will be noted on our security bulletin page.
    • Develop remediations and release schedules.
    • Perform post vulnerability assessments and root cause analysis with product development teams.
  7. Solventum will use existing customer notification methods to manage the release of patches or security fixes. This may include direct notifications to customers or posting an advisory on our website.

 

IMPORTANT INFORMATION

By submitting a vulnerability report (and any information in connection with such report), you agree that:

  • Your submission will be governed by Solventum’s Global Website Privacy Statement and Terms and Conditions;
  • Any and all information you submit will be considered as non-proprietary and non-confidential, and that Solventum is allowed to use such information in any manner, in whole or in part, without any restriction;
  • Your submission does not create any rights for you or any obligation for Solventum;
  • Solventum reserves the right to change any aspect of our vulnerability disclosure process at any time without notice, and to make exceptions to it on a case by case basis.