Merck & Co., Inc., Rahway, NJ, USA

Introduction

Protecting our patients, customers, and employees from cyber threats is of paramount importance at Merck & Co., Inc., Rahway, NJ, USA (known as MSD outside the U.S. and Canada) (“the Company”). We are committed to ensuring the safety and security of our digital products and services. To help achieve this goal, we have established a Responsible Vulnerability Disclosure Program to provide clear guidance for anyone reporting potential security vulnerabilities to us.

We recognize the valuable contributions of security researchers in creating a safe and secure digital ecosystem. If you have identified a potential security vulnerability in our digital products or services, we encourage you to report it to us immediately by following these guidelines.

We look forward to working with the security community to quickly and efficiently respond to and resolve security vulnerabilities. Thank you for contributing to our Responsible Vulnerability Disclosure Program and helping keep the Company’s business and customers safe.

Table of Contents

1. Voluntary Submissions
2. What You Can Expect
3. Program rules
4. Program scope
5. Ineligible submission type
6. Safe Harbor

Voluntary Submissions

Submission of vulnerability reports to our Responsible Vulnerability Disclosure Program are voluntary and no monetary rewards, bounties or other forms of transfer of value will be provided.

What You Can Expect

The Company will make its best effort to acknowledge your report within ten business days. We’ll try to keep you informed about our progress throughout the process.

The Company aims to remediate vulnerabilities reported by researchers through this program before they become public. For more details on public disclosure of vulnerabilities, see “Program rules” below.

Program rules

• On a best-efforts basis, take steps to prevent any violating of applicable laws (including, without limitation, privacy or data protection laws), destroying data, and interrupting or degrading production systems during your research.
• Restrict your activities to identifying and reporting potential security vulnerabilities back to the Company.
• Do not attempt to exploit the vulnerability to exfiltrate data or compromise the Company’s systems.
• If you come across or gain access to potentially sensitive such as personally identifiable information (PII), protected health information (PHI), trade secret or financial information, stop your testing and report the finding back to the Company. We will take all reasonable steps to validate your report.
• Use only your own account for testing purposes. Do not use or attempt to use another user's account.
• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact; when a duplicate vulnerability report is submitted, the Company will triage only the first report received.
• Provide detailed reports with reproducible steps.
• Submissions on assets not owned by the Company will be closed as “Not Applicable” or “Informational.”
• Multiple potential security vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g., spear phishing, phishing, vishing, smishing) is strictly prohibited.
• Denial of service (DoS), distributed denial of service (DDOS), and automated vulnerability scanners that generate significant web traffic are strictly prohibited.
• We ask that you follow HackerOne's disclosure guidelines at all times, and you don't disclose any vulnerability reported through this program until Merck consents.

Program scope

This program is limited to any Company services or platforms publicly accessible from the Internet. The following domains are in-scope:

• *.merck.com
• *.msd.com
• All other applications (web sites, web applications, web services, and mobile applications) owned by Merck & Co., Inc., Rahway, NJ, USA

Ineligible submission type

Although we encourage the security researcher community to submit any vulnerability affecting the security of the Company’s digital products or services that are within the scope of this program, the following submission types are excluded from the scope of this program:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring Man in the Middle (MITM) or physical access to a user's device
• Previously known vulnerable libraries without a working proof of concept
• Comma separated values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service
• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
• Rate limiting or brute force issues on non-authentication endpoints
• Missing best practices in content security policy
• Missing HttpOnly or secure flags on cookies
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Software version disclosure, banner identification issues, descriptive error messages or headers (e.g. stack traces, application or server errors)
• Open redirect - unless an additional security impact can be demonstrated

Safe Harbor

Any activities conducted in a manner the Company deems consistent with this policy will be considered authorized conduct and we will not initiate legal action against you for activities directly related to the identification of the reported vulnerability. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this policy.

The Company does not allow participation in the program to the extent prohibited by applicable law, including (but not limited to) U.S. trade sanctions and economic restrictions.

Thank you for helping keep the Company and its information safe!