Skip to content
HomeVulnerability Reporting Program
A female developer codes remotely on her home desktop computer

Vulnerability Reporting Program

Introduction

At Johnson & Johnson (J&J), our Credo drives everything that we do. This includes our commitment to cybersecurity. We value the trust our patients have placed in us regarding their health and health information. At J&J, our cybersecurity program is designed to safeguard J&J devices, data, products, services, and infrastructure.

With constantly evolving threats, J&J also recognizes the contributions that the security researcher community can bring to our cybersecurity program. As a result, we have initiated this Vulnerability Reporting Program for security researchers to report new vulnerabilities that they discover in our products and infrastructure. The purpose of this program is to better ensure the security of J&J devices, products, services, and infrastructure through collaboration.

Purpose, scope, expectations and rewards

At J&J, we have enacted a cybersecurity program to uphold and maintain our commitment to providing secure devices, products, and services to our patients and clients around the globe. J&J recognizes that this program can be improved through the diligent efforts of the security researcher community and their vital security research.

This Vulnerability Reporting Program applies to security weaknesses discovered in our infrastructure, websites, public APIs, and applications. Accordingly, submissions from a security researcher regarding a vulnerability in a J&J device, product, or network may be eligible for acknowledgment through our Security Researcher Contributions page.

Eligibility of a submission for acknowledgment through the Security Researcher Contributions page will be granted at J&J’s sole discretion. However, in making this determination, J&J will consider whether the vulnerability was previously known to J&J and the submitter’s adherence to the Legal principles identified below. Eligibility will not be determined until after the report has been verified, validated, and remediated.

In all instances, we expect that the security researcher will act in good faith, without malicious intent, and report discoveries in a timely fashion.

Submission process for the vulnerability reporting program

If a vulnerability has been discovered, please contact us via vulnerability_reporting@its.jnj.com and be sure to include the following information:

  • A description of the exact nature of the vulnerability being reported.
  • Information regarding the location of the vulnerability’s existence, as well as the infrastructure, website, public API, product, or application in which the vulnerability was uncovered.
  • A detailed walkthrough of how the vulnerability was encountered and detected. This would include browser, operating system, versions, etc.
    • Please note, straight data dumps/exports will not be considered valid submissions.
  • Your preferred method for further contact, such that we can establish a secure means of communication.

We will reply to the emailed report within (3) business days, confirming receipt of the submission. We may ask additional information regarding the report and will address the report pursuant to our internal vulnerability management procedures.

We will also review the report to determine whether it is eligible for acknowledgment on our Security Researcher Contributions page. If eligible, we will notify the submitter.

Note: For vulnerabilities discovered within our suite of MedTech devices, please follow this link for reporting procedures: https://productsecurity.jnj.com.

Please be aware that this Vulnerability Reporting Program should not be understood as permission to perform any of the following:

  • Engaging in any activity disproportionate to what is necessary to identify that a vulnerability exists, including:
    • Accessing, downloading, or retaining patient data, personal information, or proprietary or confidential data.
    • Actively trying to exploit J&J devices, products, services, or network infrastructure with malicious intent.
    • Disrupting networks, services, or day-to-day operations.
    • Maintaining unauthorized access beyond the scope of proving that a vulnerability exists.
  • Engaging in any activity that puts at risk the safety of patients, customers or operations, including, by way of example, installing malware, destroying or defacing J&J property, or denial-of-service attacks.
  • Engaging in any activity that is in violation of local law or regulation.

Conclusion

We thank the security researcher community for contributing to a safer Internet and safer world for our patients.