Report a security or privacy vulnerability

About Us

LumiraDx develops, manufactures, and commercializes an innovative point of care diagnostic Platform. The LumiraDx Platform is designed to deliver lab comparable diagnostic results at the point of care in minutes. It is designed to be affordable and accessible for healthcare providers globally, and to strengthen community-based healthcare.

Policy

LumiraDx is now formalising our policy for accepting vulnerability reports in our products and systems. We hope to foster an open partnership with the security community, and we recognise that the work the community does is important in continuing to ensure safety and security for all of our customers.

We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.

LumiraDx, is defined as LumiraDx Group and all partially, majority or wholly owned subsidiaries.

Scope

This Vulnerability Disclosure Policy covers:

a) LumiraDx Connect and related cloud services.

b) LumiraDx Connect iOS and Android apps.

c) LumiraDx Instrumentation, including peripherals.

d) LumiraDx Hub.

e) LumiraDx Amira, including peripherals, associated apps and cloud services.

f) LumiraDx Care Solutions INRstar and related cloud services.

g) LumiraDx Care Solutions engage Self Care and related cloud services

h) LumiraDx Care Solutions engage iOS and Android apps

i) Other systems associated with .lumiradx.com/ domain

j) Other systems associated with .lumiradxcaresolutions.com/

While LumiraDx develops a number of other products, we ask that all security researchers submit vulnerability reports only for the stated product list.

What you can expect from LumiraDx

A commitment to being transparent as possible on remediation timelines, issues and challenges.

An open dialog to discuss issues.

Continual updates through the HackerOne platform as to the status of the vulnerability disclosure.

Disclosure Guidelines

You must:

• Follow the HackerOne Disclosure Guidelines: https://www.hackerone.com/disclosure-guidelines

• Write reports and submissions in English.

• Provide a detailed report, with reproducible steps including code, logs and outputs as evidence.

• Comply with all data protection rules and regulations.

• Securely delete all data retrieved during your engagement as soon as it is no longer required, or within 1 month of the vulnerability being resolved, whichever occurs first.

You must not:

• Break any applicable laws or regulations.

• Access unnecessary, excessive or significant amounts of data, including personal or data related to health.

• Edit, change or otherwise manipulate any personal data.

• Use high intensity, invasive or destructive tools, e.g.: overwhelming a service with high volumes of requests.

• Please limit any automated scanning to 100 requests per second. Aggressive testing that causes service degradation will be grounds for removal from the program.

• Communicate any vulnerabilities or associated details to any other party than LumiraDx, and HackerOne.

• Socially engineer, phish or physically disrupt LumiraDx colleagues, suppliers or infrastructure.

• Be an employee or agent of LumiraDx Group and its subsidiaries

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or brute-force issues on non-authentication endpoints

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application, or server errors).

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

Legal

LumiraDx Group and subsidiaries will not engage in legal action against individuals who submit vulnerabilities in good faith, e.g.:

a) Has adhered to applicable laws and privacy controls.

b) Engage in testing of systems/research without harming LumiraDx, its customers or employees

c) Has only disclosed the vulnerability to LumiraDx and/or HackerOne in the first instance.

d) Engage in vulnerability testing within the scope of this policy.

e) Has not publicly disclosed vulnerabilities before a mutually agreed upon timeframe.

Third Party Disclosure

LumiraDx reserve the right to provide vulnerability reports to third parties, such as auditing partners, shareholders etc. Where this occurs reasonable efforts will be made to obfuscate any personal or identifiable information of the reporter.

Thank you for helping keep LumiraDx safe.