Coordinated Vulnerability Disclosure Policy
Zimmer Biomet is committed to improving patient quality of life through innovative medical solutions. At the heart of this mission is trust - built through transparency, integrity, and a continued commitment to product and system security. Cybersecurity is a key component of delivering safe and effective products and services. Zimmer Biomet operates under a global cybersecurity policy framework that guides incident management and risk assessment activities. As part of our efforts to deliver secure, reliable solutions, we recognise the value of contributions made by independent cybersecurity researchers who identify and report potential vulnerabilities in a responsible manner. Zimmer Biomet fully supports coordinated vulnerability disclosure (CVD) and encourages researchers to engage with us constructively. This policy outlines the process by which cybersecurity researchers can voluntarily report vulnerabilities and security concerns to Zimmer Biomet. It reflects our values and our commitment to working in good faith with security researchers who provide valuable insights into improving the resilience of our systems and services.
We welcome engagement from the global security research community to proactively identify and reduce risk across our technology landscape - enhancing security for our patients, providers, partners, and employees. In appreciation of responsible and ethical disclosures, Zimmer Biomet may choose, at its sole discretion, to recognise validated contributors on our researcher site page (upon request and after resolution of the reported issue).
Program Scope
This Coordinated Vulnerability Disclosure Policy applies to all commercially available Zimmer Biomet products, services, and corporate applications.
Note: This process is not intended for product complaints, adverse event reporting, or technical support inquiries. In addition, this does not extend to vulnerabilities found in third-party components or vulnerabilities that or negatively impact services or user experiences (e.g., denial of service, brute force, password spraying). Please use Zimmer Biomet’s appropriate channels for those requests.
Reporting Guidelines and Legal Framework
To maintain a constructive and safe disclosure process, we ask that researchers comply with the following:
Do not include personally identifiable information (PII) or protected health information (PHI) in any submissions (including any associated screenshots)
Do not conduct testing that could harm Zimmer Biomet patients, customers, systems, or infrastructure
Avoid conducting research on systems used in clinical settings or during active patient care
Ensure testing is performed in a manner that does not affect service availability or functionality for other users. Researchers can test products without affecting availability or they can obtain permission prior to initiating research
Comply with all applicable laws and regulations in your jurisdiction and those relevant to Zimmer Biomet
Only exploit a vulnerability to the extent necessary to reasonably demonstrate its existence including avoiding data access/extraction
Do not modify, delete, or copy data, or introduce additional vulnerabilities into the system
Do not attempt to escalate privileges, alter systems, or expand access beyond the reported issue
Do not share or publish details of the vulnerability without coordination and mutual agreement on a public disclosure timeline
Inform Zimmer Biomet of any regulatory or third-party disclosures regarding the vulnerability
If you communicated vulnerability information to vulnerability coordinators such as ICS-CERT or other parties, please advise us and provide their tracking number, if one has been made available
Ensure your participation is voluntary and not in violation of employment agreements or labour laws
How to Report a Vulnerability
To voluntarily report a vulnerability or cybersecurity concern related to Zimmer Biomet systems, products, or infrastructure, please contact: disclosures@zimmerbiomet.com
Please include:
A clear description of the vulnerability
Steps to reproduce the issue
Any tools or methods used in discovery
Impacted product, system, or domain (for example: version, model, or serial numbers)
When and where the vulnerability was discovered
Known or suspected threats relating to the vulnerability (including any known or suspected exploitation)
Your contact information for follow-up questions from the Company or a Company-designated vendor
Recommended remediations or mitigation strategies, if known
For websites or other web-based platforms, please include: Date and time of testing Relevant URLs Browser type and version Input provided to the application during testing
Providing these details will help us correlate your activity with internal security logs, identify detection gaps, and respond more effectively.
Submission Evaluation and Response
Zimmer Biomet will evaluate reported vulnerabilities based on the potential impact to patient safety, data integrity, and business continuity. Throughout the vulnerability verification and resolution process, we will aim to communicate with you so that expectations are clear.
Within 5 business days of your submission, you will receive confirmation that we have received your submission and are in progress of our security team evaluating it for verification
If needed, we will request additional information from the report or provide instructions to coordinate with an approved third-party vendor
If a vulnerability is verified, we will notify you once patch/fix has been applied
Zimmer Biomet may use existing customer notification processes to communicate the release of a patch or security fix and coordinate with other authorities
Priority will be given to:
Vulnerabilities with demonstrable risk
Issues affecting live production systems
Concerns with potential regulatory or reputational impact
Disclaimer
By voluntarily submitting information to Zimmer Biomet, you agree:
The submission is non-proprietary and non-confidential
Zimmer Biomet may use, reproduce, and disclose the information, in whole or in part, without restrictions
Submission does not create any rights for you or any obligations, or warranties on the part of Zimmer Biomet , including any payment obligations