Patient safety and the security of our products and services is important to us and we believe in the rapidly growing security research community. With the help of our Coordinated Vulnerability Disclosure (CVD) program, we provide a platform for security researchers and customers to responsibly disclose potential security vulnerability in our products or services.
View current security advisories.
The scope of our vulnerability reporting program includes our medical devices, supporting software, web services, and mobile applications.
This program is not for technical support on our products or product quality complaints. For help with these, please contact support by visiting Contact Intuitive.
Email your finding to product.security@intusurg.com using our PGP public key to encrypt your email submission. Our public key can be found on the PGP public key server (keys.openpgp.org) by the key ID: 70C9490DB1D36E55
Subject: [Product Name] – [Model Number] [Software Version (leave blank if not available)] - [Vulnerability Name or Class]
Body:
1. What is the suspected vulnerability and why do you think this is a security vulnerability?
2. How did you find the suspected vulnerability, what is the potential resultant effect of the findings, and what is an applicable remediation?
3. What are potential threats from this suspected vulnerability, as applicable?
4. Is the suspected vulnerability known to other parties or is it assigned a CVE?
5. Describe steps to reproduce the issue proof of concept, exploit code, screenshots, video etc.
6. Optional: Contact information so we can follow up with you. Please include name(s), organization name, email address, and phone number. We will not share your contact information externally or use it for any other purpose.
We aim to provide complete transparency on the process to all security researchers/customers and we expect the same from you.
Safe Harbor: We will not engage in legal action against individuals who submit reports in good faith following our Vulnerability Reporting process. We agree to work with individuals who:
We reserve the right to change any aspect of our coordinated disclosure program at any time without notice, as well as for case-by-case exceptions. No particular level of response is guaranteed.
By contacting us, you agree that the information you provide will be governed by our site’s Privacy Policy and Terms of Use.
Windows TCP/IP Remote Code Execution Vulnerability (CVE-2024-38063)
August 30, 2024. Intuitive Product Security is aware of and is monitoring a cyber vulnerability affecting certain versions of the Microsoft Windows operating system.
Intuitive identified this disclosure as part of Postmarket Cybersecurity vulnerability monitoring. Following thorough risk assessment, it has been determined that the following Intuitive products may be vulnerable to the referenced CVE 2024-38063:
There is no clinical risk or patient safety impact.
The Intuitive Product Security team will contact customers to help them identify which of their Intuitive products and services may be affected and what steps should be taken to address the vulnerability.
SonicWall SonicOS Improper Access Control Vulnerability (CVE-2024-40766)
August 26, 2024. SonicWall has disclosed CVE-2024-40766, describing a cyber vulnerability affecting certain versions of the SonicWall SonicOS.
Intuitive identified this disclosure as part of Postmarket Cybersecurity vulnerability monitoring. Following thorough investigation and testing, it has been determined that the configuration of SonicWall devices used in Intuitive products are not vulnerable to the referenced CVE.
Intuitive Product Security is in contact with SonicWall and will continue to monitor and respond to updated information as it is received.
Apache Log4j Cybersecurity Vulnerability
December 22, 2021. Intuitive is aware of and actively monitoring the recently disclosed cybersecurity threat associated with the “Apache Log4j” vulnerability. At this time, none of Intuitive’s products or external facing IT systems are impacted by this vulnerability.
We are committed to patient safety and the continued safe operation of our products and services. We will continue to monitor this cyber threat closely and will provide additional relevant information, as appropriate.
Blackberry QNX Real-Time Operating System Vulnerabilities
Aug 30, 2021. Blackberry has disclosed potential cyber vulnerabilities associated with certain versions of their QNX Real-Time Operating System. This disclosure was followed by an FDA notification of the vulnerabilities.
Through our active Postmarket Cybersecurity Surveillance Program, we were made aware of these vulnerabilities as they were publicly disclosed. In response, we conducted risk assessments across our product offerings, in compliance with our Postmarket Cybersecurity Maintenance Plan, and determined none are susceptible to the vulnerability.
We have and will continue to work with FDA, our customers, regulators, and others to provide further information as needed.
If there are any further questions, please email us at product.security@intusurg.com
Important safety information
Patients should talk to their doctor to decide if da Vinci surgery is right for them. Patients and doctors should review all available information on non-surgical and surgical options and associated risks in order to make an informed decision.
Serious complications may occur in any surgery, including da Vinci surgery, up to and including death. Serious risks include, but are not limited to, injury to tissues and organs and conversion to other surgical techniques which could result in a longer operative time and/or increased complications. For Important Safety Information, including surgical risks, indications, and considerations and contraindications for use, please also refer to www.intuitive.com/safety.
Individuals' outcomes may depend on a number of factors, including but not limited to patient characteristics, disease characteristics and/or surgeon experience.