Product Security - HemoCue Global

Product Security and Coordinated Vulnerability Disclosure

Legal position

HemoCue will not engage in legal action against individuals who in good faith submit vulnerability reports in accordance with our coordinated vulnerability disclosure process. We openly accept reports for the currently supported products and services from individuals who

Engage in testing our products and/or research without harming HemoCue or its customers
Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against products and/or services being actively used for patient care delivery, diagnostics or monitoring

Disclaimer

HemoCue considers it a key priority to provide safe products and services including protecting personal information. Therefore, when conducting your security research, please avoid actions that could cause harm to patients or products. Note that vulnerability testing could negatively impact a product. As such, testing should not be conducted on active products in a clinical setting, and products subjected to security testing should not subsequently be used in a clinical setting. If there is any doubt, please contact a HemoCue representative.

HemoCue reserves the right to modify its coordinated vulnerability disclosure process at any time, without notice, and to make exceptions to it on a case-by-case basis. No particular level of response is guaranteed. However, if a vulnerability is verified, we will attribute recognition to the researcher reporting it, if requested.

CAUTION: Do not include sensitive information (e.g., sample information, PHI, PII, etc.) in any documents submitted to HemoCue. Comply with all laws and regulations in the course of your testing activities.

By contacting HemoCue, you agree that the information you provide will be governed by our site’s Privacy Policy and Online Terms of Use.

Note: When sharing any information with HemoCue, you agree that the information you submit will be considered non-proprietary and non-confidential and that HemoCue is allowed to use such information in any manner, in whole or in part, without any restriction.

Click here to submit vulnerability report or continue reading for the latest product security news.

Product Security News

Log4Shell (Apache Log4j)

Updated November 14, 2022

Background

On December 10, 2021, a critical vulnerability (CVE-2021-44228) was reported in Apache Log4j. The vulnerability impacts multiple versions of the Apache Log4j utility and the applications that use it. The vulnerability allows an attacker to execute arbitrary code.

Response

As soon as we received information regarding this serious vulnerability, we assessed all our products, and the conclusion is that we are not using the mentioned library in any of our products and our products are therefore not affected by this threat.

Fill out form below to send a vulnerability report

Vulnerability Report

CONTACT INFORMATION First Name* Last Name* Organization* Country of residence* E-mail* Phone no.* VULNERABILITY DESCRIPTION Date of discovery Description of vulnerability* Method of discovery* Tools used to discover vulnerability Vulnerability being exploited? Exploit publicly available? Describe impact and how you envision it being used in attack Steps to reproduce error state, exploitable condition Additional comments PRODUCT DETAILS Product Name* Product Version Number* Product Serial Number* By submitting this form, I acknowledge that I have reviewed and understood the data privacy policy.