Dräger Coordinated Disclosure Statement

At Dräger we develop technology for life. Our customers, regardless of what sector they're in, depend on this technology and expect that Dräger products will be secured against vulnerabilities that could affect the functioning of the products and the security, integrity and privacy of the electronic information and data used by the products. The security, integrity and privacy of the sensitive data of our customers, patients, and operators of our systems is deeply embedded in our development processes. However, to assist us with our development efforts, Dräger encourages and supports security researchers and customers to responsibly report to us any potential security and privacy vulnerabilities identified in our products.

Dräger maintains this product security page at http://static.draeger.com/security/ in order to provide contact details and information concerning the procedures to follow to test and report vulnerabilities.

If you encounter any issues with our products which do not implicate security or privacy vulnerabilities, or if you encounter any other issue which might affect patient, user, or operator safety, please contact your local Sales & Service representative.

Contact Details

You can reach us at product-security@draeger.com. Please use our PGP public key to encrypt your email submission to us! The public key can also be found on public key servers by the key id 12FF 9F68.

Version: GnuPG v2


What You Should Do

Please follow these guidelines when reporting a security or privacy vulnerability. The faster we can verify and reproduce the issue, the faster we are able to react.

  • Please encrypt your mail to us using our PGP public key. Make sure to also encrypt attachments of your mail (PGP/MIME).
  • Please provide all information in English, which is the preferred language, although German is also acceptable.
  • Please provide all necessary contact information (contact names, organization name, tracking numbers, email addresses, phone numbers) so that we can get in touch with you.
  • Please give us details of the environment in which you found the vulnerability. This might include, but is not limited to:
    • exact product description, including name and version number(s), product configuration details, etc.
    • network configuration details
    • date and time of testing
    • any possible preconditions necessary to reproduce the issue
  • Please give us details about the tools used during your investigation. Not only does it help us to reproduce the issue, it might also be a useful addition to our product security testing toolsuite.
  • If you wrote any specific exploit code please provide a copy.
  • Please provide us with any additional thoughts and information regarding your finding. If you know the vulnerability is being actively exploited please also tell us about it!
  • Please tell us whether you notified anybody else about the vulnerability, e.g., vulnerability coordinators, regulatory bodies, other affected vendors, etc.
  • Please refrain from including sensitive information, e.g., patient information, in any screen shots or other attachments you provide to us.

What We Will Do

  • Receipt of Vulnerability
    • Dräger will send you a receipt confirmation within four business days.
    • You will be provided with a direct contact person.
    • The product's security engineer will be notified.
  • Verification
    • The product team will attempt to reproduce the issue.
    • You may be asked for further information needed to reproduce your finding.
    • You will be notified with the result of the investigation.
  • Resolution Development
    • In a detailed analysis we'll figure out the root cause of the vulnerability.
    • We'll find out whether other products and versions are also affected.
    • We'll assess the severity of the finding
    • Our product teams will work on developing a resolution for the vulnerability.
    • The new software-version will go through our QA and testing process to ensure that a) the issue is resolved, b) no new vulnerabilities are introduced, and c) the intended behaviour of the product was not affected by the fix.
    • If the root cause lies in an external component, we'll communicate this vulnerability to the 3rd party and advise you of that notification. In such case, please inform us whether you would permit us to provide your information to the 3rd party.
    • All product's security engineers are informed of the issues, to make sure it won't occur again.
  • Release
    • If the vulnerability is publicly known or known to be actively exploited, we may publish an advisory before remediation is available.
    • The fixed version will be released and deployed.

Responsible Security Testing

While we value your investigation efforts, please conduct testing in safe environments.

  • NEVER perform security testing on devices actively in use! This includes devices that are in standby mode and might be actively used after your investigation. Please be aware that security testing might have side-effects on the product that are not directly visible. When in doubt, decommission the device and contact Dräger Service or Dräger Product Security.
  • For web-based systems, never perform analysis on production systems. Use a demo, test or configuration system instead.
  • If you have found a vulnerability, use it only as reasonably necessary to demonstrate the vulnerability.
  • Never make changes to systems that are going to be used after your testing. If you do decommission the product after making the change. Most vulnerabilities can be proven by read-only, non-modifying operations.

Coordinated Disclosure

We want to make sure that users of our systems are not unnecessarily put at risk. If you plan to publicly disclose a potential vulnerability, please inform us of your plans. We encourage you to work with Dräger to coordinate or synchronize the public release of information.

If the vulnerability is verified, Dräger will give credit to the researcher reporting the vulnerability in the published security advisory, if requested.


In case you decide to share any information with Dräger, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Dräger is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Dräger.

© Drägerwerk AG & Co. KGaA, 2015