Vulnerability Disclosure Program

Responsible Disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good.  This policy is aimed at establishing these conditions to assure that our customer data is protected.  Its guiding principles are simple:

  • Don’t shoot the messenger
  • Protect our customer’s data

If you see something, say something.  We are not declaring “open season” on our production Internet facing properties but if in the course of your interactions with our Internet presence you notice security vulnerabilities, we encourage you to report the vulnerability using this page.  Your report will be forwarded to our partner (Bugcrowd) for timely acknowledgement and verification.  Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue (as defined by the Bugcrowd Vulnerability Rating Taxonomy).

If you wish to actively hunt for security bugs in our applications, we run a private Vulnerability Disclosure Program (VDP) via Bugcrowd.  No financial rewards of any kind are offered under our VDP.

 

Reporting Security Vulnerabilities Found in our Production Environment

Please note that you are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.

The rules are simple:

  • Cause no harm – Excessive exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and disrupting our customer’s experience are all outside the scope of this program and any protections it affords from legal recourse.
  • Demanding payment in return for destruction of CVS Health/Aetna data will result in you being viewed and treated as a threat rather than a participant in our Vulnerability Disclosure Program.