Product security
Edwards Lifesciences Support of Vulnerability Disclosure
As software and technology continue to become more integrated in products, Edwards recognizes cybersecurity to be a critical element in reducing risk across the total product lifecycle. Cybersecurity threats are evolving, and they have the potential to not only impact the confidentiality, integrity, and availability of a product, but also its clinical effectiveness.
Edwards maintains a dedicated Product Security team to help evaluate and implement security controls, manage cybersecurity risk across our various product lines, and execute our cybersecurity post-market product surveillance and support program.
We recognize the value provided by patients, customers, and security researchers in helping manage cybersecurity risk and are willing to collaborate with those who work in good faith with Edwards.
Scope of Disclosure Program
The scope of the Edwards Coordinated Vulnerability Disclosure Program includes on-market Medical Device and Software as a Medical Device categories (including mobile and web medical applications). Non-medical devices including websites, mobile apps, infrastructure components, etc., are not in scope. Additionally, the submission of adverse events or product quality complaints is not in scope. Please follow the appropriate processes laid out by the individual product lines for reporting these.
As a part of our vulnerability disclosure program, Edwards will be using this page to post cybersecurity bulletins related to vulnerabilities and their impact to Edwards products. For any additional questions or comments related to product security at Edwards, please contact your service representative and/or the product security team directly.
How to Contact Edwards Product Security
Upon identifying a potential vulnerability in an Edwards product, please contact us via email as soon as possible utilizing PGP as outlined below:
- Key ID: 0x49F9C9DB
- PGP Location: https://keyserver.pgp.com
- Email: product_security@edwards.com
In the email, please provide all relevant technical information regarding the vulnerability, including, but not limited to, steps which would need to be taken to replicate the potential issue, plans on public disclosure, and any awareness of active exploitation. Do not include any personally identifiable information (PII) or individually identifiable health information (IIHI) in the message.
Expectations of Researchers
For any research being conducted on Edwards products, we ask researchers to:
- Perform testing in a safe environment and manner
- Not test or alter a production device in any way
- Not use devices in production that have been altered
- Not weaponize the research, nor create an active exploit
- Not publicly disclose without prior engagement with Edwards
Expectations of Edwards
After submission of a potential vulnerability, Edwards will:
- Review all submitted information and acknowledge receipt within 10 business days
- Request additional information, if required, in order to enable a full review of the submission
- Initiate our internal Vulnerability Management & Incident Response processes, which may include:
- Internal replication of potential vulnerabilities
- Risk evaluation activities
- Mitigation/remediation planning and execution
- External communications efforts
- Work diligently in providing updates to the submitter, as necessary
Notice
In the case you decide to share any information with Edwards, you agree that the information you submit will be considered as non-proprietary and non-confidential, and that Edwards is allowed to use such information in any manner, in whole or in part, without any restriction.
Please update your browser
Please update to a current version of your preferred browser, this site will perform effectively on the following:
Unable to update your browser?If you are on a computer, that is maintained by an admin and you cannot install a new browser, ask your admin about it. If you can't change your browser because of compatibility issues, think about installing a second browser for browsing and keep this old one for compatibility