Dräger Coordinated Disclosure Statement

At Dräger we develop technology for life. Our customers, regardless of what sector they're in, depend on this technology and expect that Dräger products will be secured against vulnerabilities that could affect the functioning of the products and the security, integrity and privacy of the electronic information and data used by the products. The security, integrity and privacy of the sensitive data of our customers, patients, and operators of our systems is deeply embedded in our development processes. However, to assist us with our development efforts, Dräger encourages and supports security researchers and customers to responsibly report to us any potential security and privacy vulnerabilities identified in our products.

Dräger maintains this product security page at http://static.draeger.com/security/ in order to provide contact details and information concerning the procedures to follow to test and report vulnerabilities.

If you encounter any issues with our products which do not implicate security or privacy vulnerabilities, or if you encounter any other issue which might affect patient, user, or operator safety, please contact your local Sales & Service representative.


Contact Details

You can reach us at product-security@draeger.com. Please use our PGP public key to encrypt your email submission to us! The public key can also be found on public key servers by the key id 12FF 9F68.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFW13s0BCACpNJ/JdRqB0YTETd+u2awOZ9vocoqlZcJK2nCzgPcWkSjeYOdA
Ja2ODkVq6Qv+yJa4aoqYnW3A4vTB6P7Zt1iPxj594QRdCMbMDi58TuYVZL64tuCS
DnVl0kJ2r9kND84Yg5KOraOHEJK2n1yN1eNy0SKYj5ndJhrEwQLAsTwISzTSAFDI
8ggIJE1JgXTxxlHSUH1gAoFs4qb12vTE5EYMJr3kqNHqaK+ev+qEkOt5Lnhn8Q1Y
ARdEej4ajTZYWGJB+SFBlE0YqEdaPzlCPpFWGJlgCry+LNDQLhaCR7Arx/p0U7Gv
qFHDzTiVGPNle+nVbTGh3ajxGgnQ1Lt3za4VABEBAAG0N0RyYWVnZXIgUHJvZHVj
dCBTZWN1cml0eSA8cHJvZHVjdC1zZWN1cml0eUBkcmFlZ2VyLmNvbT6JATkEEwEI
ACMFAlW13s0CGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDlQRP4Ev+f
aOHlCACGo3cHraL9VEFGmJmAVizx9LNlBmiTi4C3o4r0yXAHCF2Lm6LpxYGq7y3D
Qy6LS+Br+aIyq3wkkMRvAfc0zA2ycpEzTjzghmLCYoQCKUSEkw2aetxeDpQyknA4
40xY2cD6i5Poot29wIe0kt3bzVqn1vvuvcCnswgkbrZfO2J40m/w4YfaD8AK3o35
ae6sSYcP+8KBLp/z+ggPnaMHXxapUKgwt7L5gMtqfhILPLS+ZAJaseY7OVzlmxdh
dlNnTdxziC1fqXNKBlk6dm3aNnGgJ5R6hQBR0L00n88p4lXx0msgYSPQZf6bMZhS
jm3ur3mX7vLDTiw2yza9I5oV9lvNuQENBFW13s0BCAC1qqvHmoM4mtoLTLTUek9H
hbeXgaxSuo/KRom/Pc3l/cCNNzWqiFCHlgqjfCK7SWfi6n13c21O5WN4wPAQ/Z1X
DcLgsjYJN8ijUq+WuRUDxEUDfmR0O7QLxUvA3ftNlhYGtWNUOCvRj7P+Bn2w2+Nh
y4/QxbqOSO0Xt3g8FGhoSfiLTto7CK99Ufbhba+ztRoIlvqDbv/1i5UfCAST6CvX
5pEH4OHBF1Iw/yYHce5l9IHP4D7PkVmsoa57Xi0kfbg5CiIxO8HNHbvm8QKQ0gWt
4QEiOSLI768Gkg5Cm6S3pzIAYow/0gum016xmZKeY31yDUA4ctofXllOXHRuu/Zb
ABEBAAGJAR8EGAEIAAkFAlW13s0CGwwACgkQ5UET+BL/n2jc/ggAplo61bDcGmxQ
rOSVhuQYXRu6p6XCDGo5Vc55LGxrcXVkos0M0LVCtFyPd6j7kizY2OzBRO7ofU/J
IrjPC/weUJAgz6loOHNqxK8pV/m77OeoTPGOn+8w5XEvXtrMl15Wo0l7Hf4IriYf
SPUn3BiUHkFOLyGLpC+yhkqBDVfVcGkItKUPrRwQJCFcHBd3uxlKKcW4PeZSEvno
fXguXLqFP120eRIltf656sTUeNSsW5d34152LWBDiY3bnhwaM/nC14Uh9N31veEZ
ET6zxjor6LOrCukbtRe9rUd0wAUaPReOLnXgOi2+ZMnxchmzJ7Z6ZJtkI72aGA1N
lhxfjIZuFg==
=hZ0n
-----END PGP PUBLIC KEY BLOCK-----
						

What You Should Do

Please follow these guidelines when reporting a security or privacy vulnerability. The faster we can verify and reproduce the issue, the faster we are able to react.

  • Please encrypt your mail to us using our PGP public key. Make sure to also encrypt attachments of your mail (PGP/MIME).
  • Please provide all information in English, which is the preferred language, although German is also acceptable.
  • Please provide all necessary contact information (contact names, organization name, tracking numbers, email addresses, phone numbers) so that we can get in touch with you.
  • Please give us details of the environment in which you found the vulnerability. This might include, but is not limited to:
    • exact product description, including name and version number(s), product configuration details, etc.
    • network configuration details
    • date and time of testing
    • any possible preconditions necessary to reproduce the issue
  • Please give us details about the tools used during your investigation. Not only does it help us to reproduce the issue, it might also be a useful addition to our product security testing toolsuite.
  • If you wrote any specific exploit code please provide a copy.
  • Please provide us with any additional thoughts and information regarding your finding. If you know the vulnerability is being actively exploited please also tell us about it!
  • Please tell us whether you notified anybody else about the vulnerability, e.g., vulnerability coordinators, regulatory bodies, other affected vendors, etc.
  • Please refrain from including sensitive information, e.g., patient information, in any screen shots or other attachments you provide to us.

What We Will Do

  • Receipt of Vulnerability
    • Dräger will send you a receipt confirmation within four business days.
    • You will be provided with a direct contact person.
    • The product's security engineer will be notified.
  • Verification
    • The product team will attempt to reproduce the issue.
    • You may be asked for further information needed to reproduce your finding.
    • You will be notified with the result of the investigation.
  • Resolution Development
    • In a detailed analysis we'll figure out the root cause of the vulnerability.
    • We'll find out whether other products and versions are also affected.
    • We'll assess the severity of the finding
    • Our product teams will work on developing a resolution for the vulnerability.
    • The new software-version will go through our QA and testing process to ensure that a) the issue is resolved, b) no new vulnerabilities are introduced, and c) the intended behaviour of the product was not affected by the fix.
    • If the root cause lies in an external component, we'll communicate this vulnerability to the 3rd party and advise you of that notification. In such case, please inform us whether you would permit us to provide your information to the 3rd party.
    • All product's security engineers are informed of the issues, to make sure it won't occur again.
  • Release
    • If the vulnerability is publicly known or known to be actively exploited, we may publish an advisory before remediation is available.
    • The fixed version will be released and deployed.

Responsible Security Testing

While we value your investigation efforts, please conduct testing in safe environments.

  • NEVER perform security testing on devices actively in use! This includes devices that are in standby mode and might be actively used after your investigation. Please be aware that security testing might have side-effects on the product that are not directly visible. When in doubt, decommission the device and contact Dräger Service or Dräger Product Security.
  • For web-based systems, never perform analysis on production systems. Use a demo, test or configuration system instead.
  • If you have found a vulnerability, use it only as reasonably necessary to demonstrate the vulnerability.
  • Never make changes to systems that are going to be used after your testing. If you do decommission the product after making the change. Most vulnerabilities can be proven by read-only, non-modifying operations.

Coordinated Disclosure

We want to make sure that users of our systems are not unnecessarily put at risk. If you plan to publicly disclose a potential vulnerability, please inform us of your plans. We encourage you to work with Dräger to coordinate or synchronize the public release of information.

If the vulnerability is verified, Dräger will give credit to the researcher reporting the vulnerability in the published security advisory, if requested.

Notice:

In case you decide to share any information with Dräger, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Dräger is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Dräger.


























© Drägerwerk AG & Co. KGaA, 2015