Security Bulletins
(including the latest on Log4j)
Security Policy Statement
We value patient safety and we strive to provide products that are safe and effective for our patients to use in the management of their diabetes. Because cybersecurity risks are increasing, they are an increasingly important part of our focus on safety and privacy. Dexcom assesses these risks and is committed to take appropriate action to address vulnerabilities when they arise.
In order to ensure the integrity and availability of our products and systems, Dexcom takes measures intended to limit access and use of our products to only authorized users and applications.
Product and Information Security
We are committed to conducting ongoing reviews to minimize security risk and vulnerabilities. Ongoing activities include:
- Monitoring of announced vulnerability to assess potential impact to Dexcom products
- Coordinating with security researchers and other professionals to identify and/or mitigate or address confirmed risks
- Engaging external experts in cybersecurity reviews
- Assessing potential impact of threats
- Developing and implementing mitigation strategies
- Aligning with all applicable legal and regulatory requirements
Dexcom is committed to continuously improve the security, including cybersecurity, of our products and has implemented processes and programs intended to design security in the development of our products. We continue to monitor and enhance security as appropriate throughout the product lifecycle.
Dexcom understands the importance of protecting patient and partner data and has implemented security practices into the development and ongoing operations of our data services that are intended to deliver security, performance, and usability.
DEXCOM’S COORDINATED VULNERABILITY DISCLOSURE PROGRAM
We recognize the valuable contributions from the security research community. To appropriately partner with the research community, we have created a Coordinated Vulnerability Disclosure Program which we hope promotes collaboration with those that are intending to work with Dexcom in good faith.
Making a Submission:
If you have a concern or have identified a potential vulnerability in one of our products, we ask that you to submit this information using the form below. Please use English for your submission (if possible).
- If you have other questions, please see below for additional contact information:
- If you’re a patient with a product question or concern, contact Dexcom global technical support
- If you wish you exercise your rights with respect to your Personal Information see our Privacy Portal
- For investor or media questions, please see our Dexcom newsroom
What to Include:
Please fill in all of the required fields below, and be sure to include:
- 1. Details related to the discovery
- 2. The products/devices/systems that may be impacted (with product numbers, if available)
- 3. Steps which would need to be taken to replicate the potential vulnerability (if known);
- 4. Any awareness of active exploitation
- 5. Whether you were able to access any personally identifiable information on the product/system related to the vulnerability or concern
- 6. Details on the testing environment, process and tools used to identify the potential vulnerability
- 7. Whether you have notified or plan to notify any other third party about the vulnerability submitted (i.e., regulatory agencies, vendors, vulnerability coordinators, etc.); and/or
- 8. Any other information that you believe would be helpful
Dexcom’s Expectations of Researchers:
We ask that security researchers who test and submit vulnerabilities do so in accordance with the following guidelines:
- Avoid actions that could impact the safety or privacy of any person
- Do not include any personally identifiable information about any other person (including any identifiable protected health information)
- Perform the testing in a safe environment and manner
- Do not: test or alter a production or active device in any way; use brute force testing; test or alter a medical device, software or service that is in active use; use a device or software that has been subject to testing for medical purposes; exploit any vulnerability; take actions that result in a change to a product or system after the test is conducted; use devices in production that have been altered; create an active exploit; create or publicly post code that exploits an identified vulnerability
- Comply with all laws and regulations in the course of your research and testing activities
- We also ask that you not publicly disclose without engagement with Dexcom
What You Can Expect From Dexcom:
We will take the following steps:
- Review all submitted information and acknowledge receipt of the initial submission within five business days
- We will evaluate and/or investigate the submitted information, working with the appropriate business and product teams for review and verification
- Request additional information, if required, to enable a full review of the submission
If the vulnerability is confirmed, Dexcom will evaluate the potential impact, and identify and take appropriate action, which may include:
- Internal replications of potential vulnerability
- Conduct a risk assessment and/or evaluation
- Mitigation/remediation planning and execution
- External communications efforts
- We may desire to disclose a confirmed vulnerability and may reach out to get your agreement to recognize your contribution in such disclosure
Terms Applicable to Dexcom’s Coordinated Vulnerability Disclosure Program:
By submitting information, you agree that (a) your submission will be governed by Dexcom’s Privacy Statement and Terms of Use; (b) the information you submit will be considered as non-proprietary and non-confidential information, which Dexcom is allowed to use in any manner, in whole or in part, without any restriction; (c) your participation in Dexcom’s Coordinated Vulnerability Disclosure Program does not create any rights for you and/or any obligation for Dexcom; and (d) any aspect of this process may be changed by Dexcom, in its sole discretion and without notice.
