Coordinated Vulnerability Disclosure Policy

Zimmer Biomet is committed to improving patient quality of life through innovative medical solutions. At the heart of this mission is trust—built through transparency, integrity, and a continued commitment to product and system security. Cybersecurity is a key component of delivering safe and effective products and services.

Zimmer Biomet operates under a global cybersecurity policy framework that guides incident management and risk assessment activities. As part of our efforts to deliver secure, reliable solutions, we recognize the value of contributions made by independent cybersecurity researchers who identify and report potential vulnerabilities in a responsible manner.

Zimmer Biomet fully supports coordinated vulnerability disclosure (CVD) and encourages researchers to engage with us constructively. This policy outlines the process by which cybersecurity researchers can voluntarily report vulnerabilities and security concerns to Zimmer Biomet. It reflects our values and our commitment to working in good faith with security researchers who provide valuable insights into improving the resilience of our systems and services.

We welcome engagement from the global security research community to proactively identify and reduce risk across our technology landscape—enhancing security for our patients, providers, partners, and employees.

In appreciation of responsible and ethical disclosures, Zimmer Biomet may choose, at its sole discretion, to recognize validated contributors on our researcher site page (upon request and after resolution of the reported issue).

Program Scope

This Coordinated Vulnerability Disclosure Policy applies to all commercially available Zimmer Biomet products, services, and corporate applications.

Note: This process is not intended for product complaints, adverse event reporting, or technical support inquiries. In addition, this does not extend to vulnerabilities found in third-party components or vulnerabilities that or negatively impact services or user experiences (e.g., denial of service, brute force, password spraying). Please use Zimmer Biomet’s appropriate channels for those requests.

Reporting Guidelines and Legal Framework

To maintain a constructive and safe disclosure process, we ask that researchers comply with the following:

  • Do not include personally identifiable information (PII) or protected health information (PHI) in any submissions (including any associated screenshots).
  • Do not conduct testing that could harm Zimmer Biomet patients, customers, systems, or infrastructure.
  • Avoid conducting research on systems used in clinical settings or during active patient care.
  • Ensure testing is performed in a manner that does not affect service availability or functionality for other users. Researchers can test products without affecting availability or they can obtain permission prior to initiating research.
  • Comply with all applicable laws and regulations in your jurisdiction and those relevant to Zimmer Biomet.
  • Only exploit a vulnerability to the extent necessary to reasonably demonstrate its existence including avoiding data access/extraction.
  • Do not modify, delete, or copy data, or introduce additional vulnerabilities into the system.
  • Do not attempt to escalate privileges, alter systems, or expand access beyond the reported issue.
  • Do not share or publish details of the vulnerability without coordination and mutual agreement on a public disclosure timeline.
  • Inform Zimmer Biomet of any regulatory or third-party disclosures regarding the vulnerability.

    • If you communicated vulnerability information to vulnerability coordinators such as ICS-CERT or other parties, please advise us and provide their tracking number, if one has been made available.
  • Ensure your participation is voluntary and not in violation of employment agreements or labor laws.

How to Report a Vulnerability

To voluntarily report a vulnerability or cybersecurity concern related to Zimmer Biomet systems, products, or infrastructure, please contact:
disclosures@zimmerbiomet.com

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Any tools or methods used in discovery
  • Impacted product, system, or domain (for example: version, model, or serial numbers)
  • When and where the vulnerability was discovered
  • Known or suspected threats relating to the vulnerability (including any known or suspected exploitation)
  • Your contact information for follow-up questions from the Company or a Company-designated vendor
  • Recommended remediations or mitigation strategies, if known
  •  For websites or other web-based platforms, please include:
    Date and time of testing
    Relevant URLs
    Browser type and version
    Input provided to the application during testing

Providing these details will help us correlate your activity with internal security logs, identify detection gaps, and respond more effectively.

Submission Evaluation and Response

Zimmer Biomet will evaluate reported vulnerabilities based on the potential impact to patient safety, data integrity, and business continuity. Throughout the vulnerability verification and resolution process, we will aim to communicate with you so that expectations are clear.

  • Within 5 business days of your submission, you will receive confirmation that we have received your submission and are in progress of our security team evaluating it for verification.
  • If needed, we will request additional information from the report or provide instructions to coordinate with an approved third-party vendor.
  • If a vulnerability is verified, we will notify you once patch/fix has been applied.
  • Zimmer Biomet may use existing customer notification processes to communicate the release of a patch or security fix and coordinate with other authorities.

Priority will be given to:

  • Vulnerabilities with demonstrable risk
  • Issues affecting live production systems
  • Concerns with potential regulatory or reputational impact

Disclaimer

By voluntarily submitting information to Zimmer Biomet, you agree:

  • The submission is non-proprietary and non-confidential.
  • Zimmer Biomet may use, reproduce, and disclose the information, in whole or in part, without restrictions.
  • Submission does not create any rights for you or any obligations, or warranties on the part of Zimmer   Biomet , including any payment obligations.
Version 1.0 – June 2025
This policy will be reviewed and updated periodically to align with evolving cybersecurity practices and regulatory expectations.