McKesson Coordinated Vulnerability Disclosure

We support coordinated vulnerability disclosure and encourage responsible reporting by security researchers and by customers to McKesson. This page describes our practice for addressing potential vulnerabilities in our systems and services.

Reporting suspected vulnerabilities

If you would like to report a vulnerability or have a security concern regarding McKesson systems or services, please submit it in the form below or email If you wish to protect your email, you may use our PGP Key.

Please provide any supporting material including URLs, versions, inputs, outputs, steps to reproduce, etc., that would be useful in helping us understand the nature of the vulnerability.


The following activities are out of scope for McKesson Coordinated Vulnerability Disclosure Program. Conducting any of the activities below will result in permanent disqualification.

  • Any vulnerability obtained through the compromise of McKesson systems or McKesson employee accounts
  • Any Denial of Service (DoS) attack against McKesson systems or customers
  • Physical attacks or attempts against McKesson employees, locations, and data centers
  • Social engineering of McKesson employees, contractors, or vendors
  • Knowingly posting, transmitting, uploading, or sending malware
  • Pursuing vulnerabilities that send unsolicited bulk messages (spam)

Assessment and action

  1. McKesson will acknowledge receiving the report.
  2. McKesson will keep you informed on the status of the report and will let you know when the report has been closed out. Timelines of updates will depend upon the vulnerability and the affected systems.
  3. If the vulnerability is a third-party component which is part of our system or service, we may refer your report to that third party and advise of that notification.

Public disclosure

If applicable, McKesson will coordinate public disclosure of validated vulnerabilities with you. We respectfully ask that our respective public disclosures be posted simultaneously.

McKesson requests that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed other parties as needed. Also, we respectfully ask that you do not access, post, or share any data belonging to our customers, patients, business partners, and employees.


We look forward to working with security researchers who share our passion for protecting McKesson customers. You agree that submitting information does not create any rights for you or any obligation of payment from McKesson.

Submission form:

Submit Vulnerability Report