Back to Landing page

Coordinated Vulnerability Disclosure (CVD) Program

Dexcom’s CVD process operates in conjunction with our broader post-market cybersecurity activities, including continuous monitoring, threat intelligence, incident response and compliance reporting. We are committed to conducting ongoing reviews to minimize security risk and vulnerabilities.
  • We ask you to report vulnerabilities through our Coordinated Vulnerability Program (CVD) described below.
  • We will monitor announced vulnerabilities to assess the potential impact on Dexcom products.
  • We will assess the potential impact of threats.
  • We will engage external experts in cybersecurity reviews to identify and/or mitigate confirmed risks as needed.
  • We will develop and implement mitigation strategies.
  • We will align with all applicable legal and regulatory requirements.
  • If appropriate and with the submitter’s consent, we may disclose the confirmed vulnerability, to acknowledge your contribution. 

Submission to the CVD Program

We recognize the valuable contributions from the security research community. To appropriately partner with the research community, we have created a CVD Program which we hope promotes collaboration with those that are intending to work with Dexcom in good faith.

Making a Submission:

If you have a concern or have identified a potential vulnerability in one of our products, submit the information (English is the default language) using the form below. Note that English is the accepted language for the submission form.
What to Include: Complete all required fields below, and include:
  1. Details related to the discovery
  2. The products/devices/systems that may be impacted (with product numbers, if available)
  3. Steps which would need to be taken to replicate the potential vulnerability (if known).
  4. Any awareness of active exploitation
  5. Whether you were able to access any personal identifiable information on the product/system related to vulnerability or concern
  6. Details on the testing environment, process and tools used to identify the potential vulnerability
  7. Whether you have notified or plan to notify any other third party about the vulnerability submitted (i.e., regulatory agencies, vendors, vulnerability coordinators, etc.); and/or
  8. Any other information that you believe would be helpful

Dexcom’s Expectations of Researchers:

We ask that security researchers who test and submit vulnerabilities do so in accordance with the following guidelines:
  • Avoid actions that could impact the safety or privacy of any person
  • Do not include any personally identifiable information about any other person (including any identifiable protected health information)
  • Perform the testing in a safe environment and manner
  • Do not: test or alter a production or active device in any way; use brute force testing; test or alter a medical device, software or service that is in active use; use a device or software that has been subject to testing for medical purposes; exploit any vulnerability; take actions that result in a change to a product or system after the test is conducted; use devices in production that have been altered; create an active exploit; create or publicly post code that exploits an identified vulnerability
  • Comply with all laws and regulations during your research and testing activities
  • We also ask that you not publicly disclose without engagement with Dexcom

Dexcom will:

  • Review all submitted information and acknowledge receipt of the initial submission within five business days
  • Evaluate and/or investigate the submitted information, working with the appropriate business and product teams for review and verification
  • Request additional information, if required, to enable a full review of the submission
If the vulnerability is confirmed, Dexcom will evaluate the potential impact, and identify and take appropriate action, which may include:
  • Internal replications of potential vulnerability
  • Conduct a risk assessment and/or evaluation
  • Mitigation/remediation planning and execution
  • External communications efforts
  • We may desire to disclose a confirmed vulnerability and may reach out to get your agreement to recognize your contribution in such disclosure

Terms Applicable to Dexcom’s Coordinated Vulnerability Disclosure Program:

By submitting information, you agree that (a) your submission will be governed by Dexcom’s Privacy Statement and Terms of Use; (b) the information you submit will be considered as non-proprietary and non-confidential information, which Dexcom is allowed to use in any manner, in whole or in part, without any restriction; (c) your participation in Dexcom’s Coordinated Vulnerability Disclosure Program does not create any rights for you and/or any obligation for Dexcom; and (d) any aspect of this process may be changed by Dexcom, in its sole discretion and without notice.
Privacy PolicyTerms of Use
Dexcom, Dexcom Clarity, Dexcom Follow, Dexcom One, Dexcom Share, Stelo, and any related logos and design marks are either registered trademarks or trademarks of Dexcom, Inc. in the United States and/or other countries.

MAT-5161

© 2026 Dexcom, Inc. All rights reserved.

US flag

US

Change region