Responsible Vulnerability Disclosure Program of Merck & Co., Inc., Rahway, NJ, USA


Protecting our patients, customers, and employees from cyber threats is of paramount importance at Merck & Co., Inc., Rahway, NJ, USA (known as MSD outside the U.S. and Canada) (“the Company”). We are committed to ensuring the safety and security of our digital products and services. To help achieve this goal, we have established a Responsible Vulnerability Disclosure Program to provide clear guidance for anyone reporting potential security vulnerabilities to us.

We recognize the valuable contributions of security researchers in creating a safe and secure digital ecosystem. If you have identified a potential security vulnerability in our digital products or services, we encourage you to report it to us immediately by following the below guidelines.

Disclosure program guidelines

The Company will work in good faith with security researchers who discover, test, and report potential security vulnerabilities in accordance with these guidelines:

  • On a best-efforts basis, take steps to prevent any violating of privacy or data protection laws, destroying data, and interrupting or degrading production systems during your research.
  • Restrict your research to the extent of identifying and reporting potential security vulnerabilities back to the Company.
  • Do not attempt to exploit the vulnerability to exfiltrate data or compromise the Company’s systems.
  • During your research, if you come across or gain access to potentially sensitive, confidential or proprietary information such as personally identifiable information (PII), protected health information (PHI), or financial information, we ask that you stop your testing and report the finding back to us. We will take all reasonable steps to validate your report.
  • Do not perform any testing on environments outside the scope of this program, including testing in clinical environments that would jeopardize the safety and security of patients. Details regarding the scope of this program are provided at
  • Use communication channels approved by the Company to report potential security vulnerabilities – the details of which are provided below in the section “How to report a potential security vulnerability.” Do not contact the Company’s employees, suppliers, or customers directly to report potential security vulnerabilities.
  • This program requires explicit permission from the Company to disclose the results of the submissions publicly. Do not publicly disclose details of your submission without our explicit written consent.
  • Presently, the Company does not run a bug bounty program. Submissions through our Responsible Vulnerability Disclosure Program are voluntary and no monetary rewards, bounties or other forms of transfer of value will be provided.  
  • The Company does not allow participation in the program to the extent prohibited by applicable law, including (but not limited to) U.S. trade sanctions and economic restrictions.

How to report a potential security vulnerability

If you want to report a potential security vulnerability, please visit You will be redirected to HackerOne, where you can find more information about our policy and submission guidelines such as in-scope and out-of-scope components, eligible and ineligible vulnerabilities, and reporting best practices. We will make every effort to investigate your submissions promptly.