Our Coordinated Vulnerability Disclosure (CVD) Program
Moderna appreciates the invaluable contributions of the security research community, aligning with our mindset of being "Bold" and "Relentless" in our pursuit to enhance the protection of our patients and technologies that serve them. We are dedicated to responding, investigating, and resolving reports of legitimate vulnerabilities. If you are a researcher and uncover an actionable, high-impact vulnerability, we want to work with you!
Your participation in our disclosure process is voluntary. By submitting a report or otherwise disclosing a vulnerability to us, you signify that you have reviewed and agreed principles of CVD as set by the International Organization for Standardization (ISO).
To report an adverse event related to unexpected or unwanted medical problems related to our products, go here.
Guidelines for Our CVD Program:
1. Reporting a Vulnerability: If you discover a vulnerability, email us at firstname.lastname@example.org. Your submission should include a detailed description of the vulnerability, evidence, steps to reproduce it, and your contact information.
2. Vulnerability Assessment: Moderna uses the CVSS scoring system to determine the severity of reported issues and leverages STRIDE definitions to communicate impact.
Critical and High Severity issues are addressed immediately, while Moderate and Low Severity issues may be addressed in future releases.
3. After Reporting a Vulnerability: Moderna aims to acknowledge each submission by email within 48 hours. We will confirm our ability to reproduce the issue or reach out if we have questions. We will keep you informed of the progress towards remediating the vulnerability.
4. Public Disclosure of Vulnerabilities: If you plan to disclose the issue after a fix is confirmed in place, we request you to share your disclosure plan with us. This will help us coordinate our communication around the issue and avoid potential customer confusion.
5. Bug Bounty: Please note that Moderna does not offer a bug bounty. However, we appreciate the community's help in keeping our systems secure.
6. Out of Scope: Non-security-related findings, vulnerabilities that rely on social engineering, reports based solely on automated tools' outputs, issues without clearly identified security impact, missing best practices, and non-production environments being accessible without proof of exploitability are out of scope.
7. Ground Rules: Participants in Moderna's Cyber Vulnerability Disclosure Program must respect privacy, do no harm, maintain confidentiality, avoid exploitation, interact respectfully, and follow the guidelines provided. Moderna will not take legal action against those who adhere to these rules.
8. Hiring: Moderna's Information Security Team is currently hiring. You can view open positions on our website.