Illumina Product Security

As software and technology continue to become more integrated in our products, Illumina recognizes cybersecurity to be an important element in managing risk across the total product lifecycle. Cybersecurity threats are evolving, and they have the potential to not only impact the confidentiality, integrity, and availability of a product, but also its effectiveness in its intended use. 

Illumina maintains a dedicated Product Security team responsible for evaluating and implementing security controls, managing cybersecurity risk across our various product lines, and executing our cybersecurity post-market product surveillance and support program.

We recognize and appreciate the value provided by our customers and security researchers in identifying cybersecurity risks on Illumina’s products and look forward to collaborating with those partners in good faith.

The scope of the Illumina Coordinated Vulnerability Disclosure Program includes on-market products and associated SaaS applications (e.g. BaseSpace Sequence Hub, Illumina Connected Analytics, Illumina Connected Insights, Correlation Engine, ClarityLIMS, Emedgene). Infrastructure and software owned and used by Illumina in operating its business are out of scope of this Coordinated Vulnerability Disclosure Program. Additionally, the Coordinated Vulnerability Disclosure Program should not be used for submitting adverse events or product quality complaints. Please follow the appropriate processes laid out by the individual product lines for reporting these types of issues.

As a part of our Coordinated Vulnerability Disclosure Program, Illumina will be using this page to post cybersecurity bulletins related to vulnerabilities and their potential impact to Illumina products. For any additional questions or comments related to product security at Illumina, please contact your service representative and/or the product security team.

How to contact Illumina Product Security:

Upon identifying a potential vulnerability in an Illumina product, please contact the Product Security team via email as soon as possible using Pretty Good Privacy (PGP) encryption as follows:

• Key ID:  B286E33E2CCD79B5 
• PGP Location:  https://keys.openpgp.org/
• Vulnerability Disclosure Program email:  vdp@illumina.com

In the email, please provide all relevant technical information regarding the vulnerability, including, but not limited to:

• Product(s) affected
• URL (if applicable)
• Steps needed to replicate the potential issue (screenshots welcome)
• Plans on public disclosure (if applicable)
• Awareness of active exploitation (if applicable)

Do not include any personally identifiable information (PII) or individually identifiable health information (IIHI) in the message.

For any research being conducted on Illumina products, we ask researchers to:

• Perform testing in a safe environment and manner
• Not test or alter a production system in any way
• Not use devices in production that have been altered
• Not weaponize the research, nor create an active exploit
• Engage with Illumina before making any public disclosure

After receiving notice of a potential vulnerability, Illumina will:

• Review all submitted information and acknowledge receipt within 5 business days
• Request additional information, if required, to enable a full review of the submission 
• Initiate our internal Case Response processes, which may include: 
  • Internal replication of potential vulnerabilities 
  • Risk evaluation activities 
  • Mitigation/remediation planning and execution 
  • External communications
• Work diligently in providing updates to the submitter, as necessary