Introduction

At Ypsomed AG, Patient Safety and Product Security are top priorities. This Vulnerability Disclosure Policy is intended to provide security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what products, systems and types of research are covered under this policy, as well as how to send us vulnerability reports. We encourage you to report potential vulnerabilities in our products and systems by following this policy.

Scope

This policy applies to the following systems and services:

  • SmartPilot YpsoMate Add-on device
  • Companion Apps connected to SmartPilot using Ypsomed’s SDK on Android or iOS
  • YDS Cloud services

Any products or systems not explicitly listed above, are excluded from the scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will then work with you to understand and resolve the issue within the timelines given below. Ypsomed AG encourages your research activities as long as you follow the guidelines in this policy. If you have legal concerns, please send an email to pcs-yds@ypsomed.com.

Guidelines

Under this policy, Ypsomed AG welcomes research activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Comply with all applicable laws and regulations when conducting your research.
  • Avoid any action that could harm products or people, degrade user experience, disrupt production systems, and destruct or manipulate data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue and to work out a mutually agreed disclosure plan.

Once you have established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose any data to anyone else.

The following actions are expressly not authorized:

  • Denial of service attacks or other attacks that impair access to or damage a system or data.
  • Physical Attacks on Hardware.
  • Social engineering (e.g. phishing, vishing) of employees or customers, or
  • Any other non-technical vulnerability testing.

Vulnerability reporting

We accept vulnerability reports via pcs-yds@ypsomed.com. Please use our PGP public key to encrypt your message.

We would prefer that your reports be provided in English.

What we would like to see from you:

  • Contact information.
  • Detailed product, system information.
  • Describe the location, system and network setup (version of devices, apps, operating systems etc.) where the vulnerability was discovered and the potential impact of exploitation. Include a diagram if this improves clarity.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

What you can expect from us:

  • Within seven calendar days, we will acknowledge that your report has been received.
  • We will confirm the existence of the vulnerability to you and will be as transparent as possible about remediation steps based on risk assessment, including the issues or challenges that may delay resolution.
  • We will maintain an open dialogue to discuss any issues.
  • With your permission, we may publicly acknowledge your contribution to improve the security of our products and systems.

By sharing information through this process, you are agreeing to the Privacy Policy and Terms of Service of Ypsomed AG.

Status: July 2025