No technology is perfect and Stryker believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our products. Good luck, and happy hunting!
We will not engage in legal action against individuals who submit reports through our Vulnerability Reporting process and enter into a legal agreement with us. We agree to work with individuals who:
- Engage in testing of systems/research without harming Stryker or its customers.
- Perform tests on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program in accordance with the terms and conditions of any agreements entered into between Stryker and individuals.
- Adhere to the laws of their location and the location of Stryker. For example, violating laws that would only result in a claim by Stryker (and not a criminal claim) may be acceptable as Stryker is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details before any mutually agreed-upon timeframe expires.
Preference, prioritization, and acceptance criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Reports written in English.
- Reports that include proof‐of‐concept code, which will better equip us to triage.
- How you found the vulnerability, the impact, and any potential remediation.
Note: Reports that include only crash dumps or other automated tool output may receive lower priority.
What you can expect from us:
- A timely response to your email (within 5 business days).
- We will direct the potential findings to the appropriate product teams for verification and reproduction. You may be contacted to provide additional information at this stage.
- We will, following investigation of a report, confirm the existence of the vulnerability and the potential impact. - If the identified vulnerability is determined to impact patient safety, we will work expeditiously to develop a resolution and take appropriate action. All other vulnerabilities will be evaluated and addressed based upon the associated risk.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- Credit after the vulnerability has been validated and resolved, if desired.
- We are committed to being as transparent as possible about the remediation timeline and issues or challenges that may be involved.
- If we are unable to resolve communication issues or other problems, we may bring in a neutral third party (such as CERT/CC, ICS-CERT, or the relevant regulator) to assist in determining how best to handle the vulnerability.
- All aspects of this process are subject to change without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.
In the event, you decide to share any information with Stryker, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Stryker is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Stryker.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.