The responsible disclosure of security vulnerabilities requires trust, respect, transparency and a mutual goal of working towards the cyber common good. The CVS Health Vulnerability Disclosure Program is aimed at establishing these conditions in order to protect the data of our customers, shareholders, patients and members.
If you see something, say something. In the course of your interactions with our websites, if you notice a security vulnerability, we encourage you to report it by using this page. Your report will be forwarded for timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue.
Reporting security vulnerabilities found in our production environment
You are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or attempt to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, the expectation is that you will not exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.
Per our policy, if you wish to take part in the CVS Health Vulnerability Disclosure Program, you are expected to follow these guidelines:
Cause no harm. Any exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and/or disrupting our customers’ experience are all outside the scope of this program and outside any protections it affords from legal recourse.
Demanding payment in return for destruction of CVS Health/Aetna data will result in you being viewed and treated as a threat rather than a participant in our program.