Product Security and Coordinated Vulnerability Disclosure

Legal position

HemoCue will not engage in legal action against individuals who in good faith submit vulnerability reports in accordance with our coordinated vulnerability disclosure process. We openly accept reports for the currently supported products and services from individuals who

  • Engage in testing our products and/or research without harming HemoCue or its customers
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against products and/or services being actively used for patient care delivery, diagnostics or monitoring

Disclaimer

HemoCue considers it a key priority to provide safe products and services including protecting personal information. Therefore, when conducting your security research, please avoid actions that could cause harm to patients or products. Note that vulnerability testing could negatively impact a product. As such, testing should not be conducted on active products in a clinical setting, and products subjected to security testing should not subsequently be used in a clinical setting. If there is any doubt, please contact a HemoCue representative.
HemoCue reserves the right to modify its coordinated vulnerability disclosure process at any time, without notice, and to make exceptions to it on a case-by-case basis. No particular level of response is guaranteed. However, if a vulnerability is verified, we will attribute recognition to the researcher reporting it, if requested.
CAUTION: Do not include sensitive information (e.g., sample information, PHI, PII, etc.) in any documents submitted to HemoCue. Comply with all laws and regulations in the course of your testing activities.
By contacting HemoCue, you agree that the information you provide will be governed by our site’s Privacy Policy and Online Terms of Use.
Note: When sharing any information with HemoCue, you agree that the information you submit will be considered non-proprietary and non-confidential and that HemoCue is allowed to use such information in any manner, in whole or in part, without any restriction.

What happens after submission

Upon receipt of a potential product vulnerability submission, HemoCue will:

  • Acknowledge receipt of the submission in a timely manner
  • Work with specialized product teams to evaluate and validate reported findings
  • Contact the submitter to request additional information, if needed
  • Take appropriate action

Click here to submit vulnerability report or continue reading for the latest product security news.

Product Security News

Log4Shell (Apache Log4j)

Updated November 14, 2022

Background

On December 10, 2021, a critical vulnerability (CVE-2021-44228) was reported in Apache Log4j. The vulnerability impacts multiple versions of the Apache Log4j utility and the applications that use it. The vulnerability allows an attacker to execute arbitrary code.

Response

As soon as we received information regarding this serious vulnerability, we assessed all our products, and the conclusion is that we are not using the mentioned library in any of our products and our products are therefore not affected by this threat.

Fill out form below to send a vulnerability report

Vulnerability Report

    CONTACT INFORMATION VULNERABILITY DESCRIPTION PRODUCT DETAILS