Responsible Vulnerability Disclosure Policy

Responsible Disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good.  This policy is aimed at establishing these conditions to assure that our customer data is protected.  Its guiding principles are simple:

  • Don’t shoot the messenger
  • Protect our customer’s data

If you see something, say something.  We are not declaring “open season” on our production Internet facing properties but if in the course of your interactions with our Internet presence you notice security vulnerabilities, we encourage you to report the vulnerability using this page.  Your report will be forwarded to our partner (Bug Crowd) for timely acknowledgement and verification.  Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue (as defined by the Bug Crowd Vulnerability Rating Taxonomy).

 

If you wish to actively hunt for security bugs in our applications, we do run Private Bug Bounty Programs via Bug Crowd.  These programs are run in a “testing safe”(non-PRODUCTION)  environment where the confidentiality, integrity and availability of our customer’s data is not placed at risk.  Financial rewards are only offered under our Private Bug Bounty Programs.  Rewards are based on the severity of the bug being reported and we encourage your participation.

Reporting Security Vulnerabilities Found in our Production Environment

Please note that you are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.

 

The rules are simple:

  • Cause no harm – Excessive exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and disrupting our customer’s experience are all outside the scope of this program and any protections it affords from legal recourse.
  • Demanding payment in return for destruction of CVS Health/Aetna data will result in you being viewed and treated as a threat rather than a participant in our Vulnerability Disclosure Program.