Coordinated Vulnerability Disclosure Process | Takeda Pharmaceuticals

Takeda is committed to advancing global health through innovative medicine while prioritizing trust in decision-making. Cybersecurity is crucial for the safety of our products and services as we aim to enhance and protect lives. We actively collaborate with security researchers to identify and address cybersecurity threats, welcoming their participation in our reporting process. Our process supports researchers who disclose vulnerabilities in good faith, aligning with our dedication to security and transparency. Here is how cybersecurity researchers can report vulnerabilities to us voluntarily.

This process outlines Takeda's approach to handling vulnerabilities in our IT systems, products, and services. It applies to all digital assets owned or operated by Takeda, including websites, applications, and any other online services. This process is designed to align with international standards such as ISO/IEC 29147 and ISO/IEC 30111, as well as relevant US and EU regulations, including the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), the Budapest Convention on Cybercrime, NIST Special Publication 800-61, EU Network and Information Systems (NIS) Directive, Cybersecurity Information Sharing Act (CISA) and the General Data Protection Regulation (GDPR).

We appreciate the efforts of security researchers in identifying and reporting vulnerabilities. Your contributions help us enhance the security and reliability of our systems. This document provides guidelines on how to report vulnerabilities to us and what you can expect during the process.

Submission Preferences

To report a vulnerability, please send an email to [email protected] and include the following information:

• Description: A clear and detailed description of the vulnerability, including the type of issue (e.g., XSS, SQL injection) and its potential impact.
• Reproduction Steps: Detailed steps to reproduce the vulnerability, including any relevant URLs, parameters, and screenshots.
• Discovery Date: The date and time when the vulnerability was discovered.
• Impact Assessment: An assessment of the potential impact of the vulnerability, including any data that might be at risk.
• Technical Details: Any additional technical details that might help us understand and address the issue (e.g., code snippets, logs).
• Contact Information: Your contact information (email address, phone number) for follow-up communication.

What We Expect from You

To ensure a smooth and effective disclosure process, we expect researchers to:

• Good Faith: Act in good faith and avoid any actions that could harm Takeda, its customers, or its partners.
• Data Integrity: Refrain from accessing, modifying, or deleting any data that does not belong to you.
• Ethical Conduct: Avoid using social engineering, phishing, or other malicious techniques to gain access to our systems.
• Confidentiality: Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
• Legal Compliance: Comply with all applicable laws and regulations, including but not limited to the CFAA, DMCA in the US, and the Budapest Convention on Cybercrime, NIST Special Publication 800-61, NIS Directive, CISA and GDPR in the EU.
• Proportionality: Commit to complying with the principle of proportionality, i.e., not to exploit vulnerabilities beyond what is strictly necessary to demonstrate the security problem.

What You Can Expect from Takeda

When you report a vulnerability, you can expect the following from us:

• Acknowledgment: An acknowledgment of your report via email within 4 business days.
• Updates: Updates on the status of our investigation and remediation efforts.
• Timely Resolution: A commitment to address the vulnerability in a timely and responsible manner.
• Legal Assurance: Assurance that we will not pursue legal action against researchers who adhere to this process and act in good faith.

Takeda is committed to protecting well-intentioned security researchers from legal risks. If your research and disclosure activities are consistent with this process, we will consider your activities to be authorized and will not initiate legal action against you.

• Guidance: For further guidelines on reporting vulnerabilities, you may refer to ISO/IEC 30111:2019 and ISO/IEC 29147:2018, which provide valuable insights into vulnerability disclosure and handling processes.

Please note that:

• Takeda reserves the right to modify this process at any time.
• This process does not authorize you to perform any actions that would violate any law or regulation.
• By participating in this program, you agree to comply with all applicable laws and regulations.
• This process is not a waiver of any rights Takeda may have under applicable laws and regulations.