Tandem Diabetes Care is committed to maintaining a secure environment for our customers. We have an unwavering commitment to provide safe and secure products and services.
If you believe you have identified a security vulnerability in one of our websites, products, or software, we thank you for reporting it as quickly as possible. We will work with security researchers to investigate and validate findings reported in accordance with this Coordinated Disclosure Policy. We will not take legal action against anyone who discovers and reports security vulnerabilities in accordance with this Coordinated Disclosure Policy. Tandem Diabetes Care reserves all of its legal rights in the event of any noncompliance with this Policy.
Public disclosure of the existence of vulnerabilities in Tandem Diabetes Care products, web sites, or other properties, including any details or steps for validation, is prohibited without express written permission from Tandem Diabetes Care. Any such disclosure will render the report noncompliant with this Coordinated Disclosure Policy. Also note the following partial list of actions are considered out-of-scope for responsible vulnerability testing and disclosure:
Purposefully accessing, modifying, or downloading data from or details of an account that does not belong to the reporter.
Any form of Denial of Service (DoS) attack.
Any use of phishing or attacking users or employees of Tandem Diabetes Care.
Testing of third-party applications, websites, or services not owned by Tandem Diabetes Care.
Any form of attack resulting in the likely damage to or degraded performance of Tandem Diabetes Care property, web presence, or public image.
By reporting a vulnerability, you agree to allow Tandem Diabetes Care the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before either party discloses detailed vulnerability or exploit information to the public. Tandem Diabetes Care is committed to coordinating with reporters throughout the vulnerability investigation and will provide reporters with updates on progress. Upon release of an update, Tandem Diabetes Care may, with the reporter’s permission, publicly acknowledge the reporter’s contributions and express gratitude to him/her for privately reporting the issue.
How to Report a Potential Product Security Vulnerability
Tandem Diabetes Care has developed a process to receive potential product security vulnerabilities from external sources in order to validate their existence and determine how best to respond to improve product security and safety. Please e-mail potential product security vulnerabilities to the Tandem Diabetes Care Security team at security@tandemdiabetes.com.
Do not submit any data that contains individually identifiable health information.
Provide detailed information to contact you.
Provide clear descriptions of the potential product security vulnerability you have identified and the methods used to exploit it.
Identify as much specific product information as possible – the product name, model number, serial number, software version number, etc.
Provide any information regarding the network configuration you used when identifying the potential product security vulnerability.
If the vulnerability you are reporting is on a Tandem Diabetes Care external facing website, please provide:
Target website
Type of vulnerability (SQLi, XSS, CSRF)
Specific vulnerability URL
Steps to reproduce (detailed)
Suggested means to remediate, if known
HTTP / GET request
Provide proof-of‐exploit code if you have that.
Describe how you found the potential product security vulnerability, and the potential impact.
Please include any plans or intentions for public disclosure, and whether you have already communicated with a vulnerability coordinator
What You Can Expect From Tandem Diabetes Care
We will acknowledge receiving your report within two business days for our regulated medical device products, and within five business days for Enterprise IT systems.
If your report is for a Tandem Diabetes Care product:
We will provide the name of a contact person at Tandem Diabetes Care for the reported issue.
After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as any issues or challenges that may extend the timeline.
We will direct the information to the appropriate business unit who will attempt to recreate your results. We will communicate with you if we have any difficulties in that re-creation.
If confirmed, we will conduct a risk assessment of the vulnerability and discuss that assessment with you.
We will identify whether users need to implement compensating controls while a fix is being prepared and communicate that using our normal customer notification processes.
If the issue warrants externally released communications, we will coordinate release announcements with you so when the fix is released, you may receive credit, if desired.
The process described here is not a guarantee, rather a statement of Tandem Diabetes Care intentions that is subject to change based on the circumstances of any particular situation.
If you have legal concerns about reporting vulnerabilities to Tandem Diabetes Care, please send an email to the link above to let us know about your concerns prior to submitting any details through our product security reporting process. We welcome any research conducted and submitted in good faith, and in that regards please bear in mind:
We expect that the intent of your testing is not to cause commercial harm to Tandem Diabetes Care or to cause damage to Tandem Diabetes Care’s customers or patients.
Our software is protected by license terms that prevent the public disclosure of proprietary information contained in our products (meaning, you need to come to us first with your findings so we can work out a mutually agreed-upon disclosure plan).
You must adhere to the laws of the U.S. and your locality.
By submitting information to Tandem Diabetes Care through this process, you are agreeing that submission of the information does not create any rights for you, that such information will be considered to be non-confidential and non-proprietary to you, and that Tandem Diabetes Care will be entitled to such information in whole or in part for any use or purpose whatsoever, without restriction and without compensating you or in any other way obligating Tandem Diabetes Care.
Note that at this time, Tandem Diabetes Care does not have a bug bounty program in place.