Cybersecurity

Coordinated Vulnerability Disclosure Statement

Bayer aims to improve the lives of our customers through our purpose, Science for a better life. At the core of this mission is a commitment to safety, which influences how we make decisions throughout the lifecycle of our products. Cybersecurity has become an integral component of what it means to deliver safe products and services.

 

Bayer operates under a global security policy, which guides Bayer’s incident management and risk assessment activities relating to potential security and potential privacy vulnerabilities identified in our operations, products and services. As a part of our efforts to deliver secure solutions, we acknowledge the importance of the work performed by self-initiated security researchers with respect to unsolicited, proactive vulnerability identification and proposed risk mitigation. Bayer fully supports coordinated vulnerability disclosure and encourages security researchers who choose to engage in these actions to do so in a responsible manner. The information provided below details the process by which cybersecurity researchers can voluntarily report revelated vulnerabilities to Bayer. We developed and implemented this policy consistent with Bayer corporate values and as a commitment to good-faith security researchers who choose to provide us with their expertise and observations when those observations reveal previously unidentified vulnerabilities.

Initial Program and Scope

This Coordinated Vulnerability Disclosure Policy applies to all commercially available Bayer products and services and corporate operations. Our intention is to work with those in the cybersecurity research community who choose to contribute to and improve international cybersecurity strength and to proactively identify and mitigate risks, allowing us to ensure a safer environment for our customers, patients, and employees.

 

In consideration, Bayer will maintain a Hall of Fame to provide credit to researchers who responsibly and ethically report vulnerabilities through the CVD process, if requested, after the submission has been verified, validated, and addressed by Bayer, in Bayer’s sole discretion.

 

The reporting process established within this statement is not to be used to report Product Technical Complaints, adverse events, or to request technical support. If you require assistance relative to one of these important items, please visit so that Bayer can timely consider those reports.

Reporting Prerequisites and Legal Posture

Security researchers must adhere to the prerequisites outlined below throughout the research and disclosure process. We agree to work with individuals who:

  1. Ensure submissions do not contain sensitive information, such as Patient Health Information (PHI) or Personally Identifiable Information (PII);
  2. Do not perform research or testing on Bayer products, services, or infrastructure that may lead or contribute to harm of people or property;
  3. Avoid researching or testing products in clinical settings or other active environments where the products may be used for patient diagnosis, treatment, care, or monitoring;
  4. Test on products or systems without affecting customers, service, or availability, or who obtain written permission / consent from the owner of the Bayer product, where applicable, prior to initiating research or testing activities against their devices, software, infrastructure, etc.;
  5. Comply with laws and regulations applicable to you and your location and to jurisdictions relevant to Bayer products, services, or operations;
  6. Do not use a vulnerability to take disproportionate action, such as exploiting a vulnerability beyond what is reasonably necessary to prove its existence, modifying or deleting data on the system, copying sensitive data from the system, or otherwise introducing additional vulnerabilities to the product;
  7. Do not operate outside of the scope of this Coordinated Vulnerability Disclosure Policy;
  8. Provide us with details of past or planned communication to regulatory organizations / other third parties about any discovered vulnerabilities
  9. Are allowed under the labor laws applicable to them and to Bayer to voluntarily engage in the actions they take without a mandate or anticipation of employment or service-related compensation.

IMPORTANT: In addition to the points described above, we encourage you to coordinate with Bayer to select public release dates for information on discovered vulnerabilities. We ask that you do not disclose vulnerability details to the public before this mutually agreed upon timeframe expires. Please inform us of your disclosure plans, if any, prior to public disclosure.

 

How to Submit a Vulnerability

To voluntarily submit a vulnerability or other identified cybersecurity concern related to Bayer products, services, or infrastructure, please send an email to CVD@bayer.com.  


To voluntarily submit a vulnerability or other identified cybersecurity concern related to Bayer products, services, or infrastructure, within China, please send an email to ChinaCVD@bayer.com.

 

Submission Preferences, Prioritization, and Acceptance Criteria

We will utilize the following criteria to prioritize and triage unsolicited submissions:

  • Well-written reports in English have a higher chance of resolution;
  • Please provide us with contact information, such as organization and contact name / preferred contact method, so that we can communicate with you on your findings;
  • The names of those who are known or suspected to be aware of these findings;
  • Include detailed information surrounding the product(s), service(s), or infrastructure tested
    • Please provide the following information: specific product tested, including product name and version number; the technical infrastructure tested, including operating system and version; and any relevant additional information, such as network configuration details.
    • For websites and other web-based solutions, please provide the following: date and time of testing, URLs, the browser type and version, as well as the input provided to the application;
  • Please provide us with a technical description of vulnerability, including how it was discovered, the potential impact if exploited, and suggested remediation to drive efficiency in interactions;
  • Please provide any additional relevant information related to the research or testing performed (i.e. tools used, relevant test configurations, impact and severity estimates, scope assessment, etc.)
    • Reports that include proof-of-concept code equip us to better triage;
  • Include the goal of the disclosure to Bayer and / or intentions for public disclosure, if any;
  • Reports that include only crash dumps or other automated tool output may receive lower priority;
  • Reports about products not included within the scope of this statement may receive lower priority
     

  • Bayer will acknowledge receipt of your report within 3 business days;
  • Bayer will provide a unique tracking number for your report;
  • During the initial triage and assessment phase, a member of the Bayer Security Team may reach out to you to request additional information; 
  • Once sufficient information has been collected, we will:
    • Verify the reported vulnerability and its potential impact
    • Further assess the report and investigate with the appropriate security teams
    • Work on a mitigation / remediation per our established processes
  • Throughout the vulnerability handling process, Bayer will keep you informed of the status of your report, including any significant new information, with clear expectations on timeline as well as on issues or challenges that may extend the timeline;
  • Bayer will maintain an open dialog to discuss issues;
  • Bayer will use existing customer notification processes to manage the release of updates to address the vulnerability, which may include direct customer notification and / or release of a public advisory notification; 
  • Bayer will provide public recognition in our Hall of Fame as consideration for the security researcher’s effort, if requested, and after the vulnerability has been verified, validated, and addressed
     

If we are unable to resolve communication issues or other problems, Bayer may request a neutral third party (such as DHS CISA or other relevant agencies or regulators) to assist in the resolution.

This statement (version 1.0) was created on August 20, 2021. This policy will be updated or renewed periodically.

Notice:
You agree that any information voluntarily shared with Bayer will be considered as non-proprietary and non-confidential and you understand that Bayer is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation on behalf of Bayer.