Oxford Nanopore Vulnerability disclosure guidance

Securing your sequencing

Oxford Nanopore designs technology to deliver DNA/RNA analysis to users around the globe. As we continue to advance both the software and hardware that underpin our platform – from our range of devices to the EPI2ME analysis ecosystem and edge-to-cloud analytics - we recognise the importance of building and maintaining robust cybersecurity throughout the technology lifecycle.

In addition to our own teams’ work in this area, we actively welcome engagement from security researchers, academic institutions, and our user community to help us identify and resolve potential vulnerabilities. This effort is part of our broader mission to ensure that the sequencing technologies enabling science, health, and discovery remain secure, trustworthy, and resilient.

Information about our security updates

Information about the latest security updates is freely available in our online user community – please visit the software downloads page for the latest information about vulnerabilities, patches and release notes.

What this disclosure process covers

Oxford Nanopore encourages responsible reporting of security-related issues found in:

• On-market sequencing platforms, including Flongle, MinION, GridION, PromethION and ElysION
• Device software and firmware, such as MinKNOW and Dorado
• Cloud-connected services, including EPI2ME, EPI2ME Labs, and associated data analysis pipelines
• Secure data exchange points between instruments, software, and Oxford Nanopore cloud infrastructure

Issues related to internal corporate IT systems, personnel systems, or traditional business infrastructure are not in scope for this communication. Similarly, this channel should not be used to report device performance concerns, reagent issues, or adverse events - please use your support representative or the appropriate customer support channels for those matters.

Working with us

We ask that researchers engaging in security testing of Oxford Nanopore products follow a safe, ethical, and collaborative approach:

• Conduct testing in isolated, non-production environments.
• Do not interfere with systems that are actively sequencing or storing real biological data.
• Do not exploit, enable others to exploit, nor worsen any vulnerabilities found.
• Raise the issue with us as a matter of urgency and work collaboratively with us so that we can respond rapidly.
• Provide us with as much technical detail as possible so we can validate and address concerns efficiently.

Our response process

When a potential vulnerability is responsibly disclosed, Oxford Nanopore commits to:

• Acknowledge receipt of your report within 3–5 working days.
• Engage directly to request clarification or additional data, where needed.
• Investigate internally, working across relevant engineering, bioinformatics, and cloud teams.
• Prioritise remediation based on risk to users, data integrity, and system stability.
• Collaborate transparently, keeping you informed of progress and offering public credit if appropriate, with your permission.
• As we update any vulnerabilities, we will update the user community in our release notes or other bulletins

We may also issue public security bulletins or advisories when a disclosure affects users broadly or requires customer action.

How to Report

We maintain a security.txt file—available here— that outlines how to report vulnerabilities (Contact, Disclosure Policy, Expiration, Encryption, etc.) in line with RFC 9116.

You can also disclose a potential vulnerability by contacting our Product Security team at:

Email: - securitydisclosure@nanoporetech.com

Please include:

• Product name and version
• Description of the suspected issue
• Steps to reproduce, logs or screenshots (if applicable)
• Any knowledge of real-world exploitation
• Your timeline for planned disclosure (if any)

Do not include patient data, identifiable personal information, or sensitive genomic content in your message.

Use of submitted information

By submitting information to Oxford Nanopore, you agree that it may be used in good faith for the purposes of improving our systems. Unless otherwise agreed in writing, submitted material will be treated as non-confidential and non-proprietary. We will never share your identity without your consent.

A shared commitment

We view cybersecurity as a shared responsibility - essential to preserving trust in scientific instrumentation and the insights it delivers. Thank you for partnering with us to keep our technology secure and reliable.