Pfizer Disclosure Policy

Report a Security Vulnerability

Hope changes lives. We at Pfizer are in relentless pursuit of scientific breakthroughs and revolutionary medicines that will create a healthier world for everyone.

Pfizer takes cybersecurity seriously and value the contributions of the security community at large. The responsible disclosure of potential issues helps us ensure the security and privacy of our customers and data.

Vulnerability Disclosure Policy

Pfizer has partnered with HackerOne to handle reports of potential security or vulnerability issues in our products or services. Please note that this policy does not provide any form of defense or indemnity for any actions, nor does it authorize or encourage any actions that are either in breach of the law or of this policy.

Safe Harbor

Pfizer will not initiate legal action against you for any security research activities under the HackerOne Vulnerability Disclosure Programs conducted in a manner consistent with this policy.

Guidance

If you believe you’ve found a security issue in one of our products or services, please notify us and include the following details with your report:

• A description of the issue and where it is located.

• A description of the steps to reproduce the issue.

Submitting a Vulnerability

Once a report is submitted, Pfizer commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Unauthorized Conduct

This policy is designed to be compatible with common vulnerability disclosure good practice. Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

• Do not engage in any activity that can potentially or actually cause harm to Pfizer, our customers, our employees, or any third-party.

• Do not engage in any activity that can potentially or actually stop or degrade Pfizer services or assets.

• Do not perform automated scanning or testing.

• Do not store, share, compromise or destroy Pfizer or third-party data, including data of individuals. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Pfizer. This step protects any potentially vulnerable data and you.

• Provide Pfizer reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

• Hack, penetrate, or otherwise attempt to gain unauthorized access to Pfizer or third-party applications, systems, or data.

• Download, copy, disclose, corrupt, or prevent access or use any proprietary or confidential Pfizer or third-party data, including customer data.

• Adversely impact Pfizer or third-party the operation of Pfizer applications or systems.

Thank you for helping keep Pfizer’s customers and data safe.