Novo Nordisk is committed to ensuring the safety and security of patients, healthcare professionals, and other customers who use our products and services.

Novo Nordisk will not engage in legal action against individuals who in good faith submit vulnerability reports in accordance with our Coordinated Vulnerability Disclosure (CVD) Policy. We openly accept reports for our currently supported products and our systems from individuals who:

  • Engage in testing our products and/or research without harming Novo Nordisk or our customers.
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing against products and/or services in active use for medical treatment, patient care, diagnostics, or monitoring purposes.

This policy addresses all products, software, and hardware, available under the Novo Nordisk brand names made available to the general public. If contractual obligations exist between Novo Nordisk and a partner where the partner must address an identified vulnerability, the terms of the agreement between the partner and Novo Nordisk shall prevail over the terms set forth in this policy.

  • Vulnerabilities affecting End of Life products or services that are no longer supported.
  • Attacks that require the use of phishing or other types of social engineering.
  • Acquisitions as integration efforts may not be complete.

Novo Nordisk considers it a key priority to provide safe and secure products and services including protection of Personal Data. Therefore, when conducting your security research, please avoid actions that could cause harm to patients or products.

Note that vulnerability testing could negatively impact a product. As such, testing should not be conducted on active products used for medical treatment, and products subjected to security testing should not subsequently be used for medical treatment or in a clinical setting. If there is any doubt, please contact Novo Nordisk.

Novo Nordisk reserves the right to modify its Coordinated Vulnerability Disclosure Policy and processes at any time, without notice, and to make exceptions to it on a case-by-case basis. No particular level of response is guaranteed. However, we will acknowledge receiving your report within five business days and keep you informed on the status of your report. Furthermore, if a vulnerability is verified by our global security response team, we will attribute recognition to the researcher reporting it, if requested.

CAUTION: Do not include sensitive information (for example sample information, Personal Health Information (PHI), PII, etc.) in any documents submitted to Novo Nordisk. Comply with all laws and regulations in the course of your testing activities.

By contacting Novo Nordisk, you agree that the information you provide will be governed by our site's Data Privacy Policy and Online Terms of Use. As a responsible approach to coordination of vulnerability disclosure, we encourage you to collaborate with Novo Nordisk in selecting appropriate dates for disclosing information regarding discovered vulnerabilities. We acknowledge your cooperation in synchronizing the release of vulnerability information. Please inform us of your disclosure plans, if any, prior to public disclosure.

Note: When sharing any information with Novo Nordisk, you agree that the information you submit will be considered non-proprietary and non-confidential and that Novo Nordisk is allowed to use such information in any manner, in whole or in part, without any restriction.

Vulnerability reporting by Submitter
Items marked with a * is mandatory information that must be provided by the Submitter.

Product details

Product name *

Please fill in this field.

Product version number *

{{crossValidationError['verNum'].crossValidationErrorMessage}}

Product configuration details *

{{crossValidationError['configDetails'].crossValidationErrorMessage}}

Product UDI *

Unique Device Identifier - for software applications, located in the ‘About’ screen, for physical devices located on the label on the device {{crossValidationError['udi'].crossValidationErrorMessage}}

Product serial number *

{{crossValidationError['serailNo'].crossValidationErrorMessage}}

Vulnerability description

Date of discovery dd/mm/yyyy *

Please fill in this field.

Location *

Where the vulnerability was discovered (country, region, other relevant location information) Please fill in this field.

Description of vulnerability *

Please fill in this field.

Method of discovery *

Please fill in this field.

Tools used to discover vulnerability *

{{crossValidationError['tools'].crossValidationErrorMessage}}

User privileges required to exploit vulnerability *

{{crossValidationError['privilegesRequired'].crossValidationErrorMessage}}

I believe the vulnerability is being exploited *

{{crossValidationError['exploited'].crossValidationErrorMessage}}

An exploit is public available *

{{crossValidationError['exploitAvailability'].crossValidationErrorMessage}}

Describe the specific impact and how you would envision it being used in an attack scenario *

{{crossValidationError['describe'].crossValidationErrorMessage}}

Additional comments *

{{crossValidationError['comment'].crossValidationErrorMessage}}

Contact information

E-mail address *

{{crossValidationError['email'].crossValidationErrorMessage}}

First name *

{{crossValidationError['firstName'].crossValidationErrorMessage}}

Last name *

{{crossValidationError['lastName'].crossValidationErrorMessage}}

Organization *

{{crossValidationError['organization'].crossValidationErrorMessage}}

Country of residence *

{{crossValidationError['country'].crossValidationErrorMessage}}

Phone no. *

{{crossValidationError['phoneNo'].crossValidationErrorMessage}}

Your relation to Novo Nordisk *

{{crossValidationError['relation'].crossValidationErrorMessage}}

*

{{crossValidationError['acknowledged'].crossValidationErrorMessage}}

CERT tracking ID *

{{crossValidationError['cert'].crossValidationErrorMessage}}

Privacy notice * *

Please accept.