Vulnerability Disclosure Policy

As a mission-oriented company, respectful of the privacy of each individual, we put technology and innovation at the service of human, we consider safety and security of our members and customers to be one of our main priorities.

We strive to ensure the best quality of service and the highest level of security in our products, from the moment they are designed. However, despite our best efforts, vulnerabilities may still be present.

That is why CIC Structured Finance has a vulnerability disclosure policy. This policy explains the communication regarding reporting of potential vulnerabilities affecting its services, as well as the method of processing these reporting.

The entry point for reporting will be our “Computer Emergency Response Team (CERT) CM-EI”.

CIC Structured Finance would like to thank you for your reporting and for the contribution it has made to the security of as many people as possible.

For any reporting of vulnerability, please send us a message via the following form. In order to improve the management and identification of this vulnerability, please include as much information as possible in the reporting form.

For security reasons, all our subsequent exchanges will be encrypted using PGP.

To send us encrypted communications, you can use our PGP key available on the Crédit Mutuel site.

Following your reporting, our teams will analyse its content in order to validate the vulnerability classification as soon as possible. We will contact you only if further information is needed.

In addition:

• No remuneration is provided under this program even if the vulnerability is proven;
• For security reasons, no publication of flaws and their resolution will be made.

CIC Structured Finance remains the sole judge of the vulnerability classification and risk categorization that follows. The processing and resolution time of these vulnerabilities remains at the discretion of CIC Structured Finance.

By submitting your Vulnerability Statement to CIC Structured Finance you are bound to:

• Comply with applicable laws;
• Not perform denial of service or resource depletion attacks;
• Use CIC Structured Finance's systems without the intent to harm the Group, its customers, employees or third parties;
• Not use, modify, or erase any data that you may access by exploiting the said vulnerability;
• Not carry out social engineering, spam, or phishing attacks against CIC Structured Finance employees or trusted third parties;
• Not test the physical security of assets of CIC Structured Finance or its third-party;
• Not disclose information related to this reporting, the reported vulnerability, nor the fact that a vulnerability has been reported in CIC Structured Finance.

This non-disclosure undertaking is applicable regardless of whether CIC Structured Finance had prior knowledge of the information.

All aspects of this process are subject to change without notice.

Reporting a vulnerability does not confer you any intellectual property rights in assets owned by CIC Structured Finance or any third party.