McKesson logo

McKesson Vulnerability Disclosure Program

We support vulnerability disclosure program and encourage responsible reporting by security researchers and by customers to McKesson. This page describes our practice for addressing potential vulnerabilities in our systems and services.

What is a Vulnerability Disclosure Program?

A Vulnerability Disclosure Program (VDP) is the "see it, say it, sort it" of the internet - we encourage security researchers to report any behavior impacting the information security posture of McKesson products and services.

  • Please document your findings thoroughly, providing steps to reproduce and send your report to us.
  • Reports with complete vulnerability details, including screenshots or video, are essential for a quick response.
  • We will contact you to confirm that we’ve received your report and trace your steps to reproduce your research.
  • We will work with the affected teams to validate the report.
  • We will notify you of remediation and may reach out for questions or clarification. You must be available to provide additional information if needed by us to reproduce and investigate the report.

Reporting suspected vulnerabilities

If you would like to report a vulnerability or have a security concern regarding McKesson systems or services, please submit it in the form below or email VulnerabilityReporting@McKesson.com.

Please provide any supporting material including URLs, versions, inputs, outputs, steps to reproduce, etc., that would be useful in helping us understand the nature of the vulnerability.

Disclosure Policy

  • By providing a Submission, you agree that you may not publicly disclose your findings or the contents of your Submission to any third parties.
  • McKesson’s program does not permit disclosure to any party outside of McKesson.

Unauthorized Conduct

  • Do not collect any personally identifiable information - including health information, credit card information, addresses and phone numbers from other customers.
  • Do not perform automated scanning or testing.
  • Do not store, share, modify, copy, compromise or destroy McKesson or 3rd party data.
  • Do not hack, penetrate, or attempt to gain access to McKesson infrastructure, systems, or data
  • Do not use social engineering and physical attacks
  • Do not degrade or adversely impact the operation of McKesson or 3rd party systems or applications
  • Do not engage in any activity that can potentially or cause harm to McKesson, McKesson affiliates, customers, patients, employees or 3rd parties.

Terms and Conditions

In connection with your participation in this program you agree to comply with McKesson’s Terms of Service, McKesson’s Privacy Policy, and all applicable state, federal, or international laws and regulations, including any laws or regulations governing privacy or the lawful processing of data. Once submitted, the report is and will remain the property of McKesson.

McKesson reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC)).

Under McKesson’s program, you may not

  • Engage in unauthorized conduct as listed in this agreement.
  • Extract or access Personal Information or Confidential Information (e.g., personal health data, trade secrets);
  • Publicize, disclose, assign, transfer, or share findings and/or reports involving McKesson’s information system, data, reports, or any other McKesson asset or property.
  • Modify, alter, change, copy, or corrupt programs or data belonging to McKesson to extract and publicly disclose data belonging to McKesson.

McKesson employees (including former employees that separated from McKesson within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any McKesson programs, whether hosted by McKesson or any third party.

By submitting information through this program, you agree that McKesson may use the information in any manner, in whole or in part, without any restriction. You also agree that submitting such information does not create any rights or title for you or any obligations for McKesson over the information.


Notice:

We look forward to working with security researchers who share our passion for protecting McKesson customers. You agree that submitting information does not create any rights for you or any obligation of payment from McKesson.


Submission form:

Submit Vulnerability Report