The responsible disclosure of security vulnerabilities requires trust, respect, transparency and a mutual goal of working towards the cyber common good. The CVS Health Vulnerability Disclosure Program is aimed at establishing these conditions in order to protect the data of our customers, shareholders, patients and members.
If you see something, say something. In the course of your interactions with our websites, if you notice a security vulnerability, we encourage you to report it by using this page. Your report will be forwarded for timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue.
If you wish to actively hunt for security bugs in our applications, we do run private bug bounty programs via Bug Crowd and encourage your participation in these programs. These programs are run in a “testing safe” (non-production) environment where the confidentiality, integrity and availability of our customer’s data is not placed at risk. Financial rewards are only offered under these private bug bounty programs. Rewards are based, in part, on the severity of the bug being reported.
Reporting security vulnerabilities found in our production environment
You are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or attempt to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, the expectation is that you will not exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.
Per our policy, if you wish to take part in the CVS Health Vulnerability Disclosure Program, you are expected to follow these guidelines:
Cause no harm. Any exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and/or disrupting our customers’ experience are all outside the scope of this program and outside any protections it affords from legal recourse.
Demanding payment in return for destruction of CVS Health/Aetna data will result in you being viewed and treated as a threat rather than a participant in our program.