Hologic logo, dark blue
Hologic logo, dark blue

Coordinated Vulnerability Disclosure Policy

Hologic Encourages Responsible Security Research

Hologic recognizes the important role security researchers play in helping to promote secure design practices and security risk mitigation, both within the medical device industry specifically, and the healthcare ecosystem. We value the work done by security researchers and encourage proactive engagement with us on discovered vulnerabilities and proposed disclosure in a coordinated and responsible manner. This document sets out both our expectations of researchers conducting security research on Hologic products in their interactions with us and others and what they can expect from us.

Hologic welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our company assets or the products we sell, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

Systems In Scope

This Coordinated Vulnerability Disclosure Policy applies to all Hologic commercially available products and/or Hologic digital assets owned, operated, or maintained by Hologic. The collective goal of security researchers and Hologic should always be to reduce risk, with due consideration given to the entire operating environment impacted by any discovered vulnerability.

Systems Out of Scope

Any product and/or digital asset, which is owned, operated, or maintained by any company other than Hologic.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

Reporting Pre-Requisites

Security researchers must adhere to the following pre-requisites throughout their security research. Security researchers agree that they shall:

  • comply with all applicable laws and regulations of their location and the location in which the Hologic product is located.
  • not use a vulnerability to take disproportionate action against Hologic, any of its employees or any other entity or people. This includes:
    1. exploiting a vulnerability other than to prove its existence.
    2. removing sensitive data from the product
  • creating a backdoor within the product
    1. otherwise introducing further vulnerability into a product for subsequent use.
  • not engage in research or testing of systems where there is any risk of patient harm.
  • not test products or network infrastructure in clinical settings or other active environments where the products are being used for any type of patient diagnosis, treatment, care, or monitoring, or could inadvertently be used in this way.
  • return any product in a clinical setting to its original state when testing is concluded. Please contact Hologic for service assistance if you have any questions.
  • obtain written permission from the owner of the Hologic device or system in advance of any testing to ensure that the scope is clear.
  • not disclose vulnerability details to the public unless Hologic has provided its written consent to do so.
  • not operate outside of the scope described in this document.
  • provide Hologic with details of communication to regulatory organizations or other third parties about any discovered vulnerability, in the most expedient time possible.


How To Submit a Report of Vulnerability Via Official Channels

All relevant information regarding any discovered security issues must be reported to CoordinatedVulnerability@hologic.com. We ask that you use our PGP key, or other suitable encryption tools, to protect any sensitive details in your submission. Please do not include any sensitive data (e.g., identifiable patient data) within the body of the communication or any attachments (e.g., screenshots, images, or log files). The more details you provide in your submission, the easier it will be for Hologic to triage and fix the issue.

What To Include in Your Submission to Us

Please include in your submission essential details like:

  • a description of the vulnerability
  • the geographical location of product, exact model, and serial number, as well as software revision and method obtaining the system.
  • a proof-of-concept code
  • step-by-step instructions to reproduce the issue.
  • suggested mitigation or remediation actions as appropriate.
  • your goal of the disclosure to use or any intentions for public disclosure.


What We Request Of, And Expect from You

In participating in our vulnerability disclosure program in good faith, we ask that you:

  • do not use this channel to report complaints about Hologic products currently in use. All customer complaints regarding the safety or performance of a Hologic product in use should be made directly to a Hologic Service Representative.
  • follow the terms and conditions of this policy.
  • limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept and cease testing.
  • submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • only interact with test accounts you own or with explicit permission from the account holder.
  • Not disclose your findings until you speak directly with someone at Hologic.


What you may expect from Hologic

Hologic will:

  • respond to your report promptly, and work with you to understand and validate your report.
  • strive to keep you informed about the progress of a vulnerability as it is processed.
  • work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.


Activities Outside the Scope of This Policy

Hologic prohibits any individual, group of individuals, consortium, partnership, or any other business or legal entity from participating in security research, vulnerability assessment, or threat disclosure activity that contradicts this policy or the law.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report at CoordinatedVulnerability@hologic.com before going any further.