Vulnerability Disclosure Policy
As a mission-oriented company, respectful of the privacy of each individual, we put technology and innovation at the service of human, we consider safety and security of our members and customers to be one of our main priorities.
We strive to ensure the best quality of service and the highest level of security in our products, from the moment they are designed. However, despite our best efforts, vulnerabilities may still be present.
That is why CMIM has a vulnerability disclosure policy. This policy explains the communication regarding reporting of potential vulnerabilities affecting its services, as well as the method of processing these reporting.
The entry point for reporting will be our “Computer Emergency Response Team (CERT) CM-EI”.
CMIM would like to thank you for your reporting and for the contribution it has made to the security of as many people as possible.
How do I report a potential security breach?
For any reporting of vulnerability, please send us a message via the following form. In order to improve the management and identification of this vulnerability, please include as much information as possible in the reporting form.
For security reasons, all our subsequent exchanges will be encrypted using PGP.
To send us encrypted communications, you can use our PGP key available on the Crédit Mutuel site.
Processing your report
Following your reporting, our teams will analyse its content in order to validate the vulnerability classification as soon as possible. We will contact you only if further information is needed.
- No remuneration is provided under this program even if the vulnerability is proven;
- For security reasons, no publication of flaws and their resolution will be made.
CMIM remains the sole judge of the vulnerability classification and risk categorization that follows. The processing and resolution time of these vulnerabilities remains at the discretion of CMIM.
By submitting your Vulnerability Statement to CMIM you are bound to:
- Comply with applicable laws;
- Not perform denial of service or resource depletion attacks;
- Use CMIM's systems without the intent to harm the Group, its customers, employees or third parties;
- Not use, modify, or erase any data that you may access by exploiting the said vulnerability;
- Not carry out social engineering, spam, or phishing attacks against CMIM employees or trusted third parties;
- Not test the physical security of assets of CMIM or its third-party;
- Not disclose information related to this reporting, the reported vulnerability, nor the fact that a vulnerability has been reported in CMIM.
This non-disclosure undertaking is applicable regardless of whether CMIM had prior knowledge of the information.
All aspects of this process are subject to change without notice.
Reporting a vulnerability does not confer you any intellectual property rights in assets owned by CMIM or any third party.