Responsible Disclosure Program

Our Philosophy

We take security very seriously in executing our mission to help millions of patients get the medications they need to live healthy lives. If you believe you’ve found a vulnerability in our applications or infrastructure that could harm CoverMyMeds or anyone who uses CoverMyMeds, please provide as much information as possible about the potential flaw, how one might exploit it, and any other information to help us understand the scope of the issue.

Our responsible disclosure program is managed by our third party vendor who will review and validate cybersecurity issues within the scope of this program. We do not offer a bounty program or provide compensation in exchange for security vulnerability submissions.

Our Commitment

  • We accept vulnerability reports from customers, researchers and vendors.
  • We will communicate timely and respectfully with all researchers.
  • We will investigate and remediate all reported vulnerabilities based on their risk to those potentially affected.

Rules of Engagement

We rely on the Common Vulnerability Scoring System but reserve the right to upgrade and downgrade the severity of findings based on their impact.

  • If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report.
  • Use professional language in all attack payload data.
  • When documenting a vulnerability, make sure it is discreet and doesn't identify any individuals.
  • No uploading of any vulnerability or patient-related content to third-party sites (e.g. Pastebin, Reddit, GitHub).

Noncompliance

Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from CoverMyMeds will deem the submission as non-compliant with this Responsible Disclosure Policy. In addition, to remain compliant you are prohibited from:

  • accessing, downloading, or modifying data residing in an account that does not belong to you.
  • executing or attempting to execute any “Denial of Service” attack.
  • posting, transmitting, uploading, linking to, sending, or storing any malicious software.
  • testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages.
  • testing in a manner that would degrade the operation of any CoverMyMeds properties.
  • testing third-party applications, websites, or services that integrate with or link to CoverMyMeds properties.

Thank You

CoverMyMeds values the research community. Contributions from researchers like you can help protect the privacy and security of our customers.

Submission Form

Submit Vulnerability Report