Accessibility Statement
person typing on laptop

Product Cybersecurity Coordinated Vulnerability Disclosure Policy

Lilly Core Values Statement

At Eli Lilly and Company (“Eli Lilly,” “Lilly,” “we,” or “us”), we make medicines that help people live longer, healthier, more active lives. We strive to earn and maintain the trust of the people we serve, to include safeguarding the security of the mobile medical applications that we provide. We have an unwavering commitment to provide safe and secure products and services. Consistent with our core values of Integrity, Excellence and Respect for People, we consider product security a key component of operating ethically and responsibly. 


Purpose

The purpose of this Product Cybersecurity Coordinated Vulnerability Disclosure Policy (the “VDP” or “Policy”) is to define the process for Lilly to work collaboratively with independent security researchers (“finders,” “researchers,” or “you”) to identify and resolve certain types of product cybersecurity vulnerabilities.  

Please review this policy in its entirety before submitting a product cybersecurity vulnerability report to Lilly. If you have questions or comments about the VDP, please contact us at the information provided in the “Contact Us” section below.

If you are a patient and have questions or concerns regarding Lilly products, please call The Lilly Answers Center, or TLAC, at 1-800-Lilly-Rx (1-800-545-5979).


Scope

The scope of our product cybersecurity vulnerability policy includes Medical Devices, Software as a Medical Device, and Mobile Medical Applications. It is not for technical support information on our products or for reporting adverse events or product quality complaints.

Out of Scope

The following product cybersecurity vulnerability categories are out of the scope of this Policy and not authorized:

  • Denial of service attacks.

  • Social engineering exploits against Lilly’s customers, employees, contractors, and/or affiliates (including but not limited to phishing attacks and email spoofing).

  • Issues requiring direct physical access.

  • Flaws impacting out-of-date browsers, software, and plugins.

  • Text-only injections.

  • Brute forcing passwords.

  • Vulnerabilities detected by compromising an existing Lilly customer, employee, or contractor’s account.

  • Reports from automated scanners or tools without additional manual analysis.

  • Missing or misconfigured security-related HTTP headers.

  • Missing cookie flags.

  • Non-conformity with security best practices.

  • Issues requiring extremely unlikely user action or interaction.


What We Expect from You

By participating in this program, you agree to abide by the following rules:

  1. You will only conduct testing in secure environments.

  2. You will abide by all applicable laws and regulations.

  3. You will refrain from any testing that could impact our customers or employees or that compromise their privacy.  If you inadvertently encounter data that you reasonably believe to be personal or confidential (e.g., personal health data, trade secrets), you agree to notify us immediately and will not access (or further access), alter, copy, or transfer such data.

  4. You will not exploit a vulnerability beyond the minimum level required to validate it. Once you have established that a vulnerability exists or encounter any personal or confidential data, you will stop your test, notify Lilly immediately.

  5. You will avoid actions that could alter changes to a product or system after your vulnerability test is completed.

  6. You will not conduct brute force testing.

  7. You will not engage in social engineering against our customers, employees, contractors, vendors, or affiliates.

  8. You will use best efforts to avoid interrupting or degrading our services for our customers or employees.

  9. You will not destroy or alter data on our services.

By submitting information through this process, you agree that we may use the information in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights for you or any obligations for Lilly over the information.


What You Can Expect from Us

When Lilly receives a product cybersecurity vulnerability report, it will endeavor to:

  1. Acknowledge receipt of the report.

  2. Verify and reproduce the vulnerability.

  3. Conduct a risk analysis to determine appropriate action to take.

  4. Notify the researcher to confirm Lilly’s reproduction of the issue, if appropriate.

  5. Update and coordinate with the researcher, as appropriate.

The process described here is not a guarantee. It is subject to our sole discretion, and we may change it, as appropriate, to address particular situations.


Reporting a Product Cybersecurity Vulnerability

If you have identified a potential product cybersecurity vulnerability, please submit a report to our team using the form below. Please include the following information: 

  1. Your email address.

  2. When and where the vulnerability was discovered.

  3. Technical description of the vulnerability and environment in which it was discovered (e.g., the product, version, and configuration of the software, affected endpoints, or URLs).

  4. Information about the tools and techniques you used to discover this vulnerability.

  5. Step-by-step instructions to reproduce the vulnerability.

  6. Proof-of-concept.

  7. A summary of the vulnerability’s impact and suggested mitigation / remediation actions, if any.

  8. Except for your email address, DO NOT include any personal information, such as sensitive/health information.

  9. By contacting us, you agree that information you provide will be governed by our site’s Privacy Policy and Terms of Use.

  10. When you submit a report, you agree that you will only disclose the results of your findings and methodologies to Lilly.

Legal

If you comply with this Policy during your security research, as determined by us in our sole discretion, we will consider your research to be authorized, and not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in compliance with this policy, we will make this authorization known.

By submitting the product cybersecurity vulnerability, you affirm that you have not disclosed and will not disclose the product cybersecurity vulnerability to anyone other than us.

We may modify the terms of this program or terminate this program at any time.

Last Updated:  November 22, 2022