Published MasterControl documents frequently use JavaScript.

If you are seeing this message, your viewer

either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
1. Purpose
1.1. What does this document do? MALLINCKRODT PHARMACEUTICALS is dedicated to
maintaining the confidentiality, integrity, and availability of Mallinckrodt’s products, systems,
and information. We are committed to ensuring the security of our customers and
associates by protecting their information from unwarranted disclosure of our delivering
safe and secure products and services. When security vulnerabilities are discovered, we
work diligently to resolve them. This document describes MALLINCKRODT
PHARMACEUTICAL’s policy for receiving reports from security researchers or other third
parties related to potential security vulnerabilities in its products and services and the
company’s standard practice about informing customers of verified security vulnerabilities.
1.2. This policy is also intended to give security researchers clear guidelines for conducting
security research and to convey our preferences in how to submit discovered security
vulnerabilities to us.
1.3. This policy describes what systems are covered and types of security research are
permitted under this policy, how to send us security vulnerability reports, and how long we
ask security researchers to wait before publicly disclosing security vulnerabilities.
1.4. We want security researchers to feel comfortable reporting security vulnerabilities they
have discovered – as set out in this policy – so we can fix them and keep our users safe.
We have developed this policy to reflect our values and uphold our sense of responsibility
to security researchers who share their expertise with us in good faith.

2. Scope
2.1. This policy applies to the following systems and services:
*.sbiopharma.com
*.acthar.com
*.acthardmpm.com
*.actharis.com
*.actharlupus.com
*.actharmsattack.com
*.actharmsattacks.com
*.actharmsrelapse.com
*.actharnephrology.com
*.actharneurology.com
*.actharpatientsupport.com
*.actharproviderportal.com
*.actharpulmonology.com
*.actharra.com
*.actharrheumatology.com
*.actharsarcoidosis.com
*.focusedonburn.com
*.hrs1sooner.com
*.ikaria.com
*.knowsarcoidosis.com
*.mpbranding.com *.ActharISHCP.com
*.msrelapseprograms.com *.ActharPSA.com
*.ofirmev.com *.DMPMandYou.com
*.ofirmev-pk.com *.Focusonburn.com
*.painstewardship.com *.MNK.com
*.rethinkmsrelapses.com *.mallinckrodt.jp
*.therakos.com *.therakos.eu
*.strataveratrials.com *.INOMAX.com
*.terlivaz.com
*.nicu-pet.com
*.oxygenisadrug.com
*.Mallinckrodt.com
*.StopInfantileSpasms.com
*.ActharOphthaImoIogy.com
*.ActharRheumatoIogy.com
*.ActharRheumatoIogyHCP.com
*.MallinckrodtHCPPortal.com
*.StrataveraTriaIs.com
*.ActharExcessProtein.com
*.ActharEyeConditions.com

2.2. Any other subdomain is specifically excluded

Page 1 of 6
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
2.3. Any service not expressly listed above, such as any connected services, are excluded from
scope and are not authorized for testing described in the immediately following section
(Types of Testing). Additionally, security vulnerabilities found in non-Mallinckrodt systems
owned, operated, or otherwise managed by our vendors fall outside of this policy’s scope
and should be reported directly to the applicable vendor according to their disclosure policy
(if any). If you are not sure, whether a system or endpoint is in scope or not, contact us at
MPVR@mnk.com before starting your security research or at the security contact for the
system’s domain name listed in the WHoIS for the applicable domain.
2.4. Though we develop and maintain other internet-accessible systems or services, we ask
that active security research and testing only be conducted on the systems and services
covered by the scope of this policy. If there is a particular system not in scope that you
think merits testing, please contact us to discuss it first. We will review this policy from time
to time and consider whether to modify the scope of this policy over time. Mallinckrodt may
pursue all appropriate actions, including, without limitation, referral to the appropriate legal,
regulatory, or enforcement authorities, as a result of active security research and testing
conducted on systems and services outside the scope of this policy.
2.5. Types of testing
The following test types are expressly not authorized. Mallinckrodt will pursue all
appropriate actions available as a result of the use of any of these types of testing.
2.5.1. Using social engineering.
2.5.2. Using malware.
2.5.3. Phishing Attacks.
2.5.4. Changing the data accessed by exploiting the security vulnerability.
2.5.5. Compromising the system and persistently maintaining access to it.
2.5.6. Using brute force to gain access to systems.
2.5.7. Sharing security vulnerability with third parties.
2.5.8. Network denial of service (DoS or DDoS) tests.
2.5.9. Using the security vulnerability in any way beyond proving its existence. To
demonstrate that the security vulnerability exists, the reporter could use non-
intrusive methods. For example, listing a system directory.
2.5.10. Physical testing (e.g. office access, open doors, tailgating), social engineering
(e.g. phishing, vishing), or any other non-technical security vulnerability testing.

3. References
3.1. N/A

4. Definitions
4.1. “Security Vulnerabilities” means a flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised (accidentally triggered or
intentionally exploited) and result in a security breach or a violation of the system’s security
policy.
4.2. “Security Researcher” means a person or entity who researches security vulnerabilities that
exist in software applications and hardware, attempts to discover and reverse engineer
malware, and finds flaws in websites and commonly used Internet protocols.
4.3. “Security Research” means the systematic investigation into and study of materials and
sources by security researchers to establish facts and reach new conclusions related to
security vulnerabilities.

Page 2 of 6
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
5. Responsibilities
5.1. Security researchers or other third parties reporting potential security vulnerabilies.
5.2. MALLINCKRODT PHARMACEUTICALS is dedicated to maintaining the confidentiality,
integrity, and availability of Mallinckrodt’s products, systems, and information. We are
committed to ensuring the security of our customers and associates by protecting their
information from unwarranted disclosure of our delivering safe and secure products and
services.

6. Policy
6.1. Guidelines - We request that you:
6.1.1. Notify us as soon as possible after you discover a real or potential security issue.
6.1.2. Provide us a reasonable amount of time to resolve the issue before you disclose it
publicly.
6.1.3. Avoid privacy violations, degradation of user experience, disruption to production
systems, and destruction or manipulation of data.
6.1.4. Only use exploits to the extent necessary to confirm a security vulnerability’s
presence. Do not use an exploit to compromise or exfiltrate data, establish
command-line access and/or persistence, or use the exploit to “pivot” to other
systems.
6.1.5. Once you have established that a security vulnerability exists or encounter any
sensitive data (including personally identifiable information, financial information, or
proprietary information or trade secrets of any party), you must stop your test, notify
us immediately, and not disclose this data to anyone else.
6.1.6. Do not submit a high volume of low-quality reports. Mallinckrodt will consider
reports to be of “low-quality” if, at a minimum, a report does not contain the
information and detail set out in the what we would like to see from you section of
this policy.
6.2. Mallinckrodt Pharmaceuticals expressly reserves all rights in law and in equity in
connection with any security research conducted by or on behalf of any security research,
including, without limitation, referral to the appropriate legal, regulatory, or enforcement
agency, regardless if such security research complies with this policy.
6.3. Authorization
6.3.1. If you make a good faith effort to comply with this policy during your security
research, we will consider your security research to be authorized, we will work with
you to understand and resolve the issue quickly, and MALLINCKRODT
PHARMACEUTICALS will not recommend or pursue legal action related to your
security research. Mallinckrodt Pharmaceuticals expressly reserves all rights in law
and in equity in connection with any security research conducted by or on behalf of
you, regardless if such security research complies with this policy and whether such
security research is deemed “authorized.”
6.4. Reporting a vulnerability
6.4.1. Contact the Mallinckrodt Product Security Vulnerability Response Team by sending
an email to MPVR@mnk.com and include "VULNERABILITY DISCLOSURE" in the
email subject. If you have identified a potential security vulnerability with one of our
products. After your incident report is received, the appropriate personnel will
contact you to follow-up.

Page 3 of 6
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
6.5. To ensure confidentiality, we encourage you to encrypt any sensitive information you send
to us via email. We can receive messages encrypted using OpenPGP. For a copy of our
public key for sending encrypted emails, see below.
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBF701qsBCADFv/L4/ifqbOcRfTjTvyAO1KAR57mYL3R5j8VASiCPpxXhcv/9
D7OvKqHoWqnf9BgFZ7HsG7dECedZfa0yolyx8uyTL+nFyFZsJ3rqH4Tb9ul7V8Yw
h5JX/hnmvmiycR/h3k5vs3eblcoG0EHIde4ZAj2SLE7IvjtJ2Li1J4oaPhwkZGBd
w3fFQyzJnFdsPfo7X7rp6xKssiGYeHzRsfvcPUXixUkt/l3rNYaBtIY/2v8Iqu7v
/a7Wm1WSnonbW/r8r8KQSP/2MW5yJTUHP/gh1lyeOA9AuBGf5l+RWpeRdwfnW0Xz
P5i7+o6QXbncgZSKOWKLLU+Pit3ZQ+eCbxrJABEBAAG0G01QVlJAbW5rLmNvbSA8
TVBWUkBtbmsuY29tPokBTgQTAQgAOBYhBOLwSmf2JiryeOVAWzGLjlvHfQBuBQJe
9NarAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEDGLjlvHfQBuxL4H/2Mf
AEMKLPiIEKIiPjHuoTTR+OzKeBoC0GHGvcZSOgNfkTJEhMnwThHHmUlZBOy0fFCt
2Ui8k+3gg+S76obMzUgHklZ3wKA8Zlcb3ltgRDDZt/K9eEQ5k2p7WRU4mA/GS8p0
HrH6ukSdsVRH6+OfCbaEkmRO2TcWsiLwwDtsABof6YLLzQZMOv9oEnvlEQOoDjt2
DGz7dXfZikrIrH5sbHGl/CygqbamK0MDNA8j0PkBmXHrLQWIJ+n9bQhQJlBbd/NQ
W9Q3SmWBqEEXkOsSZ6dV1zzOs9fDXFz9UnBMJIT2RRnlejabmbsZqE++sLv9ksaY
wrUPu8yWYDdZcT/Bfcu5AQ0EXvTWqwEIAMIxWHzck8uuO/WuG+tVRDflBjLy93wz
8L/wHpjh3qZ8PtLKvHAou8pwh140qOQsfk4Woayh9/vaqSts7CToQVpTuCa2K1h8
qkoxCr+Nh2NIj1ZC23PFZo/HVeZ81SMMsP9skAzIUxNtkRie/1ZAZoh+RQ3hYqFj
1EQxTu7TwWauNh6FudY3SFQs/wEc015edMGrt+6dN/ebphcwFzlC/H1bcH5M3ALe
IHQcd/DXr7RIpjGmIzV+eSr5vghAPeZKwL3VOsW2a817VnIU+IwOiWAYvoGtU/T6
/ERxwY2pKJ5v79NHQ8XS6vZHR/5w1rccdcGckCASeyRTxgM6W2lR0Q8AEQEAAYkB
NgQYAQgAIBYhBOLwSmf2JiryeOVAWzGLjlvHfQBuBQJe9NarAhsMAAoJEDGLjlvH
fQBuxysH/RVa6tipo0RElgrB970RKywZ68tmEBw3nU/6b+4YsZjQQCtyDLj+bD2v
Z6GPHh+Hkg5Zx90ZVr6tirV9Wxtu8MGwLiZ+Yxc5CFCAOOO+0I7GLvH+HwBUhzb2
pQQlx/9ClWmhZjVsWn2YRWHtq5twVnoq7qOTssHM/dLctxtXaKYRb4/M9YPtwY2C
jLy9mONEsKY/2usrd8tenBsbsmiZRYSdMzKgH+wSJhnhakkRVcr1t2yD7eRk3n2T
RzGNCAmv+V64Vh4dsDC6fnVGDEAqeuQhOsywqeCO5eegsOv7eKlTpzvaIVHahnBd
W+nQwgqmd+jDSYdbbITrnazO5n/EOic=
=r7AY
-----END PGP PUBLIC KEY BLOCK-----

6.6. The MPVR@mnk.com email address is intended ONLY for the purpose of reporting
product or service security vulnerabilities specific to our products or services. For technical
support information on our products or services, please visit
www.mallinckrodt.com/support.
6.7. We accept security vulnerability reports via MPVR@mnk.com. Reports may be submitted
anonymously.

Page 4 of 6
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
6.8. We will use our best efforts to acknowledge receipt of your report within three business
days.
6.9. What we would like to see from you
To help us triage and prioritize submissions, a report detailing your security research
should include, at a minimum, the following:
6.9.1. Describe the security vulnerability, where it was discovered, and the potential impact
of exploitation.
6.9.2. Offer a detailed description of the steps needed to reproduce the security
vulnerability (for example proof of concept scripts or screenshots).
6.9.3. A clear and detailed description of the security vulnerability.
6.9.4. Clear and detailed information about how the security vulnerability has been
discovered. The objective is to be able to reproduce it.
6.9.5. Proof of the existence of the security vulnerability (screenshot, link, etc.)
6.9.6. A timeline or other information about the moment (date and time) the security
vulnerability was discovered.
6.9.7. All information necessary for locating and resolving the security vulnerability in the
fastest and most efficient way possible.
6.9.8. Be in English, if possible.
6.10.What you can expect from us
When you choose to share your contact information with us, we commit to coordinating with
you as openly and as quickly as possible.
6.10.1. Within three business days, we will use our best efforts to acknowledge that your
report has been received.
6.10.2. To the best of our ability, we will confirm the existence of the security vulnerability
to you and be as transparent as possible about what steps we are taking during
the remediation process, including on issues or challenges that may delay
resolution.
6.10.3. We will maintain an open dialogue to discuss issues.
6.11.Severity
6.11.1. Mallinckrodt Pharmaceuticals follows standard industry best practices in scoring
or rating security vulnerabilities’ potential impact by adopting the Common
Vulnerability Scoring Systems (CVSS) framework for communicating the
characteristics and impacts of its IT security vulnerabilities.
6.12.Security Advisories
6.12.1. Security advisories related to our products and services are posted on our web
site at www.mallinckrodt.com/product_security/advisories. In most cases, we will
issue a notice when we have identified a practical workaround or fix for the
particular security vulnerability, though there may be instances when we issue a
notice in the absence of a workaround when the security vulnerability has
become widely known to the security community.
6.12.2. In cases where there are regulatory or legal requirements to report security
research findings, Mallinckrodt will report such findings to the appropriate
regulatory, legal, or enforcement agencies.
6.12.3. In cases where a third party notifies Mallinckrodt of a potential security
vulnerability found in our systems and services, we will investigate the finding

Page 5 of 6
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Acrobat.
and may publish a coordinated disclosure along with the third party. In some
instances, Mallinckrodt may receive information about a security vulnerability
from a supplier subject to a confidentiality obligation or under embargo. In these
cases, Mallinckrodt will work with the applicable supplier to request that a
security fix is released although we may not be able to provide details about the
security vulnerability.

7. Attachments
7.1. N/A

8. Revision History

Revision No. Change Description

1 New

Page 6 of 6
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
Signature Manifest
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Document Number: POLICY-0295 Acrobat. Revision: 1
Title: Vulnerability Disclosure Policy
All dates and times are in UTC.

Vulnerability Disclosure Policy

DCC Review

Name/Signature Title Date Meaning/Reason

Megan Vernak
Director, Product Monitoring 10 Aug 2020, 11:50:14 PM Approved
(MEGAN.VERNAK)

Create/Revise

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
12 Nov 2020, 08:21:33 PM Complete
(ELIZABETH.BUNTING)

Peer Collaboration

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
12 Nov 2020, 08:21:53 PM Complete
(ELIZABETH.BUNTING)

Doc Control Review

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
12 Nov 2020, 08:26:13 PM Complete
(ELIZABETH.BUNTING)

Manager Training Approval

Name/Signature Title Date Meaning/Reason

Christopher Lax
19 Dec 2020, 10:43:37 PM Approved
(CHRISTOPHER.LAX)

Author/Department Approval

Name/Signature Title Date Meaning/Reason

John OGorman
21 Dec 2020, 03:04:58 PM Approved
(JOHN.OGORMAN)
Brian Luteran (BRIAN.LUTERAN) 18 Mar 2021, 08:09:31 PM Approved

Final QA Approval

Name/Signature Title Date Meaning/Reason

Megan Vernak
Director, Product Monitoring 18 Mar 2021, 08:38:05 PM Approved
(MEGAN.VERNAK)

Training
 Published MasterControl documents frequently use JavaScript. If you are seeing this message, your viewer
either does not support JavaScript or it is disabled. If you are using Adobe Acrobat, please enable JavaScript.
Name/Signature Title Date Meaning/Reason
If you are using another viewer, you will need to configure your browser to view PDF files externally in Adobe
Constance Butler
(CONSTANCE.BUTLER)
LMS Specialist Acrobat.
17 May 2021, 01:40:01 PM Approved

Change Control Approval

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
17 May 2021, 01:43:29 PM Approved
(ELIZABETH.BUNTING)

Set Dates

Name/Signature Title Date Meaning/Reason

Elizabeth Bunting
17 May 2021, 01:45:32 PM Approved
(ELIZABETH.BUNTING)

Notification

Name/Signature Title Date Meaning/Reason

Nino Zozzaro (NINO.ZOZZARO) Lead EQMS Specialist 17 May 2021, 01:45:32 PM Email Sent