This Coordinated Vulnerability Disclosure Policy applies to all commercially available Zimmer Biomet products, services, and corporate applications.

Note: This process is not intended for product complaints, adverse event reporting, or technical support inquiries. In addition, this does not extend to vulnerabilities found in third-party components or vulnerabilities that or negatively impact services or user experiences (e.g., denial of service, brute force, password spraying). Please use Zimmer Biomet’s appropriate channels for those requests.

To maintain a constructive and safe disclosure process, we ask that researchers comply with the following:

• Do not include personally identifiable information (PII) or protected health information (PHI) in any submissions (including any associated screenshots)

• Do not conduct testing that could harm Zimmer Biomet patients, customers, systems, or infrastructure

• Avoid conducting research on systems used in clinical settings or during active patient care

• Ensure testing is performed in a manner that does not affect service availability or functionality for other users. Researchers can test products without affecting availability or they can obtain permission prior to initiating research

• Comply with all applicable laws and regulations in your jurisdiction and those relevant to Zimmer Biomet

• Only exploit a vulnerability to the extent necessary to reasonably demonstrate its existence including avoiding data access/extraction

• Do not modify, delete, or copy data, or introduce additional vulnerabilities into the system

• Do not attempt to escalate privileges, alter systems, or expand access beyond the reported issue

• Do not share or publish details of the vulnerability without coordination and mutual agreement on a public disclosure timeline

• Inform Zimmer Biomet of any regulatory or third-party disclosures regarding the vulnerability

• If you communicated vulnerability information to vulnerability coordinators such as ICS-CERT or other parties, please advise us and provide their tracking number, if one has been made available

• Ensure your participation is voluntary and not in violation of employment agreements or labour laws

To voluntarily report a vulnerability or cybersecurity concern related to Zimmer Biomet systems, products, or infrastructure, please contact: disclosures@zimmerbiomet.com

Please include:

• A clear description of the vulnerability

• Steps to reproduce the issue

• Any tools or methods used in discovery

• Impacted product, system, or domain (for example: version, model, or serial numbers)

• When and where the vulnerability was discovered

• Known or suspected threats relating to the vulnerability (including any known or suspected exploitation)

• Your contact information for follow-up questions from the Company or a Company-designated vendor

• Recommended remediations or mitigation strategies, if known

• For websites or other web-based platforms, please include: Date and time of testing Relevant URLs Browser type and version Input provided to the application during testing

Providing these details will help us correlate your activity with internal security logs, identify detection gaps, and respond more effectively.

Zimmer Biomet will evaluate reported vulnerabilities based on the potential impact to patient safety, data integrity, and business continuity. Throughout the vulnerability verification and resolution process, we will aim to communicate with you so that expectations are clear.

• Within 5 business days of your submission, you will receive confirmation that we have received your submission and are in progress of our security team evaluating it for verification

• If needed, we will request additional information from the report or provide instructions to coordinate with an approved third-party vendor

• If a vulnerability is verified, we will notify you once patch/fix has been applied

• Zimmer Biomet may use existing customer notification processes to communicate the release of a patch or security fix and coordinate with other authorities

Priority will be given to:

• Vulnerabilities with demonstrable risk

• Issues affecting live production systems

• Concerns with potential regulatory or reputational impact

By voluntarily submitting information to Zimmer Biomet, you agree:

• The submission is non-proprietary and non-confidential

• Zimmer Biomet may use, reproduce, and disclose the information, in whole or in part, without restrictions

• Submission does not create any rights for you or any obligations, or warranties on the part of Zimmer Biomet , including any payment obligations