Author Topic: ResMed Bug Bounty  (Read 1075 times)


  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
ResMed Bug Bounty
« on: July 31, 2023, 05:48:12 pm »
submit bug report:

Our security
ResMed, a global leader in digital health, is dedicated to proactively solving the complex challenges of information security, strengthening our defenses against threats and mitigating risks. We’ve built our processes and protocols from best practices in order to maintain confidentiality and data integrity for the business, our employees, our partners and our patients. Below are a sample of the controls we utilize across ResMed and subsidiary companies:


Layers   Threats   Defenses
Physical   Physical intrusion, social engineering   Badged access, data center controls, training, assessments
Cloud   Data loss, misconfiguration   Data loss prevention (DLP), configuration monitor, security information and event management (SIEM), web application firewall
Network   Hacking, denial of service (DOS)   IDS/IPS firewalls, Strict ACLs virtual private network (VPN), app security, SIEM
Platform   Phishing, malware, hacking   Employee training, phishing campaigns, URL filtering, security ops center, email security
PCs and mobile devices   Malware, ransomware, hacking, device loss   Traditional and next-generation anti-virus, device encryption, asset management
Application   SQL injection, man-in-the-middle, software vulnerability, hacking   Penetration testing, coding standards, patching, secure software development life cycle (SDLC)
Data   Unauthorized access   Encryption, IDS/IPS firewalls, backup/recovery, VPN, Multi-factor authentication (MFA)
Response   Security event, breach, data corruption or loss, system loss   SIEM incident response, dedicated security team, third-party support
Security news
Okta Breach

ResMed is aware of the LAPSUS$ attack on Okta and are assured that none of our customer's information has been impacted. This has been confirmed both by our internal teams and by Okta.

Log4j (Log4Shell) Vulnerability

Read about how ResMed is dealing with this threat here: Log4j Security Bulletin


ResMed Statement on the Role of CPAP in Mitigating the Effects of COVID-19

Ripple20 Security Vulnerabilities

On June 16 2020, a set of vulnerabilities in the Treck TCP/IP stack was made public. If exploited these vulnerabilities could interfere with the function of medical devices.

We have examined our devices and have confirmed that some products use the affected components - ResMed Connectivity Module Hospital (RCMH), Astral, and TxLink. The ethernet port is disabled at the time of shipping for RCMH and Astral which prevents access to the TCP/IP stack. The TxLink device is intended for use within private networks under supervised conditions and is considered low risk with respect to Ripple20.

URGENT/11 Security Vulnerabilities

On July 29 2019, the URGENT/11 set of vulnerabilities in Real-Time Operating Systems was made public. If exploited these vulnerabilities could interfere with the function of medical devices, particularly within hospital networks.

We have examined our devices and can confirm that the vulnerable Operating Systems are not in use within our medical devices and that we are not exposed to this set of vulnerabilities.

Recruitment Fraud Alert
It has come to our attention that various individuals and organizations are offering false employment opportunities on behalf of ResMed. Such fraudulent communications may come from various sources, including fake websites and/ or unsolicited emails. These communications seek to obtain personal data and payment from victims by offering jobs at ResMed that do not exist.

Please be advised ResMed would never ask for payment to progress a job application. When in doubt, please check to see if the position is posted on our website before applying.

Additionally, please report any suspicious recruiting activity to

ResMed Responsible Disclosure Program
Response targets

ResMed will make a best effort to meet the following SLAs for hackers participating in our program:

Type of response   SLA in business days
First response   5 days
Time to triage   10 days
Time to resolution   depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.

Disclosure policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Physical attacks are prohibited.
Disclosing any client or patient information is prohibited.
Disclosing the vulnerability publicly in any way before ResMed provides permission is prohibited.
Testing on third party vendors is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out-of-scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Highly speculative/theoretical vulnerabilities or previously known vulnerable libraries without a working proof of concept
Best practice suggestions that are not vulnerabilities (i.e. missing HTTP Only or Secure flags, SSL/TLS configuration, etc.)
Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Credential re-use from public dumps
Automated scan reports or search engine results (i.e., Shodan, SSL Labs, Etc.) without valid proof of concept
Vulnerabilities only affecting users of outdated or unpatched browsers [fewer than two stable versions behind the latest released stable version]
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Software version disclosure/banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep ResMed and our users safe!