Details

McKesson Coordinated Vulnerability Disclosure

We support coordinated vulnerability disclosure and encourage responsible reporting by security researchers and by customers to McKesson. This page describes our practice for addressing potential vulnerabilities in our systems and services.

Reporting suspected vulnerabilities

If you would like to report a vulnerability or have a security concern regarding McKesson systems or services, please submit it in the form below or email [email protected]. If you wish to protect your email, you may use our PGP Key.

Please provide any supporting material including URLs, versions, inputs, outputs, steps to reproduce, etc., that would be useful in helping us understand the nature of the vulnerability.

Scope

The following activities are out of scope for McKesson Coordinated Vulnerability Disclosure Program. Conducting any of the activities below will result in permanent disqualification.

Any vulnerability obtained through the compromise of McKesson systems or McKesson employee accounts
Any Denial of Service (DoS) attack against McKesson systems or customers
Physical attacks or attempts against McKesson employees, locations, and data centers
Social engineering of McKesson employees, contractors, or vendors
Knowingly posting, transmitting, uploading, or sending malware
Pursuing vulnerabilities that send unsolicited bulk messages (spam)

Assessment and action

McKesson will acknowledge receiving the report.
McKesson will keep you informed on the status of the report and will let you know when the report has been closed out. Timelines of updates will depend upon the vulnerability and the affected systems.
If the vulnerability is a third-party component which is part of our system or service, we may refer your report to that third party and advise of that notification.

Public disclosure

If applicable, McKesson will coordinate public disclosure of validated vulnerabilities with you. We respectfully ask that our respective public disclosures be posted simultaneously.

McKesson requests that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed other parties as needed. Also, we respectfully ask that you do not access, post, or share any data belonging to our customers, patients, business partners, and employees.

Notice

We look forward to working with security researchers who share our passion for protecting McKesson customers. You agree that submitting information does not create any rights for you or any obligation of payment from McKesson.

Submission form

Submit Vulnerability Report

Reporting suspected vulnerabilities

Please provide any supporting material including URLs, versions, inputs, outputs, steps to reproduce, etc., that would be useful in helping us understand the nature of the vulnerability.

Scope

The following activities are out of scope for McKesson Coordinated Vulnerability Disclosure Program. Conducting any of the activities below will result in permanent disqualification.

Any vulnerability obtained through the compromise of McKesson systems or McKesson employee accounts

Any Denial of Service (DoS) attack against McKesson systems or customers

Physical attacks or attempts against McKesson employees, locations, and data centers

Social engineering of McKesson employees, contractors, or vendors

Knowingly posting, transmitting, uploading, or sending malware

Pursuing vulnerabilities that send unsolicited bulk messages (spam)

Assessment and action

McKesson will acknowledge receiving the report.

McKesson will keep you informed on the status of the report and will let you know when the report has been closed out. Timelines of updates will depend upon the vulnerability and the affected systems.

If the vulnerability is a third-party component which is part of our system or service, we may refer your report to that third party and advise of that notification.

Public disclosure

If applicable, McKesson will coordinate public disclosure of validated vulnerabilities with you. We respectfully ask that our respective public disclosures be posted simultaneously.