Coordinated Vulnerability Disclosure Process at STERIS | STERIS
STERIS Corporation - Helping to provide a healthier today and a safer tomorrow.

Coordinated Vulnerability Disclosure Process at STERIS

STERIS values security researchers' efforts to address cybersecurity vulnerabilities and concerns and wants to partner with the security researcher community to help identify potential security vulnerabilities discovered in our products or services. Therefore, we are committed to working with the security researcher community to verify and respond to legitimate vulnerabilities and ask researchers to participate in our responsible reporting process outlined below.

Scope

STERIS cybersecurity Coordinated Vulnerability Disclosure (CVD) program includes STERIS medical and non-medical devices that employ software to control in whole or in part the functioning of said devices, Medical Device Data Systems (MDDS), Software as a Medical Device (SAMD), Software as a Service (SaaS) and accessories.

The submission of adverse events or product quality complaints are not in scope. Please follow the existing processes for reporting these.

What we expect from you

  • Information to contact you. Please note, STERIS will never share your contact information without explicit consent.
  • Technical description of the security vulnerability, including:
    • Which products, devices, systems, or services are impacted, including name(s) and version number(s), serial number(s), etc.?
    • What is the vulnerability? Describe the vulnerability in sufficient technical detail. If multiple vulnerabilities affect the same product, a single form should be used.
    • How and when was it discovered? Include potential impact, if observed and potential remediation, if discovered.
    • Additional information that may help investigation: testing environment, tools used to conduct the testing, specific assumptions and proof-of-concept, ways to reproduce vulnerable behavior, etc.
  • Please notify us if you have publicly disclosed the vulnerability or intend to do so before STERIS has an opportunity to evaluate and address it.
  • You will not include any personally identifiable information and sensitive information (e.g., patient information, protected health information, etc.) in any documents provided to STERIS.

How to report a potential security vulnerability

  • If you have identified a potential security vulnerability with our products, please contact us by completing below form:

 

What to expect from STERIS

Upon submission of a vulnerability, STERIS will:

  • Acknowledge receiving your report as soon as possible [typically within five (5) business days].
  • Assign a unique reference number for the report.
  • Direct your report to the appropriate product team to evaluate and confirm the vulnerability. STERIS may contact you at this stage if additional information is needed to fully understand the issue.
  • Notify you about verification results.
  • If vulnerability is confirmed:
    • Evaluate the potential impact.
    • Identify and take appropriate action.
    • Assess whether the vulnerability is related to a third-party software component and if so, STERIS may provide the third-party manufacturer with your contact information with your consent and your report.
    • If the issue is under STERIS control, the STERIS product team will work on a resolution/mitigation.
    • Perform validation testing of the resolution.
    • Use our Customer notification process to manage safety/security communication, release of patches, vulnerability fixes or instructions for compensating controls. This may include direct Customer notification or public release of an advisory notification.

Important Notes

  • It is recommended that you:
    • Comply with all applicable federal, state, and local laws and regulations while conducting your security research.
    • Avoid any actions that could harm patients, users, or products, such as exploiting a vulnerability in a product actively in use.
    • Avoid conducting security research activities without obtaining permission/consent from the STERIS Customer prior to taking any action.
  • STERIS does not have a bug bounty program in place.
  • STERIS reserves the right, in its sole discretion, to determine whether to acknowledge security researchers and reporters.
  • As part of the coordinated vulnerability disclosure, STERIS requests all security researchers to inform STERIS of planned public release dates of potential vulnerabilities prior to release dates.
  • By submitting this information to STERIS through this process, you are agreeing that submission of the information does not create any rights for you, that such information will be non-confidential and non-proprietary to you, and that STERIS will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating you or in any other way obligating STERIS.
  • STERIS will not knowingly collect Personally Identifiable Information (PII) when receiving potential vulnerability reports without explicit consent.
  • STERIS reserves the right to make exceptions to this policy on a case-by-case basis.

Safe Harbor

We consider activities conducted consistent with the CVD program to constitute "authorized" access under applicable anti-hacking laws. To the extent your activities, as specified herein, are inconsistent with certain restrictions in our Terms, we waive those restrictions for the limited purpose of permitting security research as specified in this program. STERIS supports security research into our products and wants to encourage this type of research. Provided your actions are consistent with the provisions herein, we will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you in connection with your security vulnerability research, as described herein, and you have complied with the terms of this program, STERIS will take commercially reasonable steps to make it known to such third party that your actions were conducted in compliance with this program. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of the terms of this CVD program that are otherwise in compliance with all applicable Federal, State, and local laws.

Product Security Advisories

STERIS investigates reports of security vulnerabilities affecting STERIS products and services and releases these documents as part of the ongoing effort to help our Customers manage security risks. Access the most recent product security updates from STERIS below: