Skip to main content

Coordinated Vulnerability Disclosure (CVD) Process

Scope

This CVD process applies to the reporting of potential cybersecurity vulnerabilities in Leica Biosystems products and services.

Reporting Pre-Requisites

Security researchers must comply with the following pre-requisites at all times:

  • Ensure that actions do not put patient safety at risk
  • Comply with all applicable laws and regulations of your location and Leica Biosystems location
  • Obtain written permission from product owner before beginning security testing
  • Do not disclose the vulnerability details publicly before a mutually agreed timeframe with Leica Biosystems
  • Products must be returned to their original state before use in a clinical environment

Contact Information and CVD Submission Process​

Potential security vulnerabilities or privacy issues with Leica Biosystems web site or IT infrastructure should be reported to: security.team@leicabiosystems.com

Potential security vulnerabilities or privacy issues with a Leica Biosystems product should be reported to: lbs.productsecurity@leicabiosystems.com

Please use email encryption with our public PGP key.

We ask that you please refrain from including sensitive information (e.g., sample information, PHI, PII, etc.) as a part of any submissions to Leica Biosystems. Please provide the following information in your submission:

  • Your contact information (e.g., name, address, phone number)
  • Date and method of discovery
  • Description of potential vulnerability
    • Product name
    • Version number
    • Configuration details
  • Steps to reproduce
    • Tools and methods
    • Exploitation code
    • Privileges required
  • Results or impact

What Happens Next​

Upon receipt of a potential product vulnerability submission, Leica Biosystems will:

  • Acknowledge receipt of the submission within five (5) business days
  • Work with specialized product teams to evaluate and validate reported findings
  • Contact the submitter to request additional information, if needed
  • Take appropriate action

Disclaimer

Leica Biosystems considers it a top priority to protect the health and safety, as well as the personal information, of our customers' patients.

When conducting your security research, please avoid actions that could cause harm to patients or products. Note that vulnerability testing could negatively impact a product. As such, testing should not be conducted on active products in a clinical setting, and products subjected to security testing should not subsequently be used in a clinical setting. If there is any doubt, please contact a Leica Biosystems representative.

Leica Biosystems reserves the right to modify its coordinated vulnerability disclosure process at any time, without notice, and to make exceptions to it on a case-by-case basis. No level of response is guaranteed.

CAUTION: Do not include sensitive information (e.g., sample information, PHI, PII, etc.) in any documents submitted to Leica Biosystems. Comply with all laws and regulations during your testing activities.

By contacting Leica Biosystems, you agree that the information you provide will be governed by our site's Privacy Policy and Online Terms of Use.

Note: When sharing any information with Leica Biosystems, you agree that the information you submit will be considered non-proprietary and non-confidential and that Leica Biosystems can use such information in any manner, in whole or in part, without any restriction.