Vulnerability Disclosure Policy
As a mission-oriented company, respectful of the privacy of each individual, we put technology and innovation at the service of human, we consider safety and security of our members and customers to be one of our main priorities.
We strive to ensure the best quality of service and the highest level of security in our products, from the moment they are designed. However, despite our best efforts, vulnerabilities may still be present.
That is why CIC has a vulnerability disclosure policy. This policy explains the communication regarding reporting of potential vulnerabilities affecting its services, as well as the method of processing these reporting.
The entry point for reporting will be our “Computer Emergency Response Team (CERT) CM-EI”.
CIC would like to thank you for your reporting and for the contribution it has made to the security of as many people as possible.
How do I report a potential security breach?
For any reporting of vulnerability, please send us a message via the following form. In order to improve the management and identification of this vulnerability, please include as much information as possible in the reporting form.
For security reasons, all our subsequent exchanges will be encrypted using PGP.
To send us encrypted communications, you can use our PGP key available on the Crédit Mutuel site.
Processing your report
Following your reporting, our teams will analyse its content in order to validate the vulnerability classification as soon as possible. We will contact you only if further information is needed.
- No remuneration is provided under this program even if the vulnerability is proven;
- For security reasons, no publication of flaws and their resolution will be made.
CIC remains the sole judge of the vulnerability classification and risk categorization that follows. The processing and resolution time of these vulnerabilities remains at the discretion of CIC.
By submitting your Vulnerability Statement to CIC you are bound to:
- Comply with applicable laws;
- Not perform denial of service or resource depletion attacks;
- Use CIC's systems without the intent to harm the Group, its customers, employees or third parties;
- Not use, modify, or erase any data that you may access by exploiting the said vulnerability;
- Not carry out social engineering, spam, or phishing attacks against CIC employees or trusted third parties;
- Not test the physical security of assets of CIC or its third-party;
- Not disclose information related to this reporting, the reported vulnerability, nor the fact that a vulnerability has been reported in CIC.
This non-disclosure undertaking is applicable regardless of whether CIC had prior knowledge of the information.
All aspects of this process are subject to change without notice.
Reporting a vulnerability does not confer you any intellectual property rights in assets owned by CIC or any third party.