Skip to main content

Labcorp's Vulnerability Disclosure Policy

Vulnerability Disclosure Philosophy

Labcorp believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between Labcorp and Security Researchers. The Labcorp Vulnerability Disclosure Program is aimed at establishing these conditions in order to protect the data of our customers, shareholders, patients, and members.

If you see something, say something. In the course of your interactions with our websites, if you notice a security vulnerability, we encourage you to report it by using this page. Your report will be forwarded for a timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue.

Reporting security vulnerabilities found in our production environment

You are expected to engage in security research responsibly. For example, if you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or attempt to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, the expectation is that you will not exploit the vulnerability beyond the steps needed to demonstrate your proof-of-concept.

Per our policy, if you wish to take part in the Labcorp Vulnerability Disclosure Program, you are expected to follow these guidelines:

  • Cause no harm. Any exfiltration or downloading of Labcorp data, disclosure of confidential information, and/or disrupting our customers' experience are all outside the scope of this program and outside any protections it affords from a legal recourse. 
  • Demanding payment in return for destruction of Labcorp data will result in you being viewed and treated as a threat rather than a participant in our program.