As a leading nationwide full-service lender that offers consumers choices in their mortgage decisions, the security and integrity of our customer and confidential data is of utmost importance. CrossCountry Mortgage employs a robust and layered defense strategy to protect its website from a range of online threats. This includes security baked into the Software Development Life Cycle (SDLC) in the form of code review to Web Application Firewalls to independent, external Penetration Testing.

Additionally, CrossCountry Mortgage regularly reviews, tests, and upgrades its information security protections based on the current threat and business landscape. However, the reality is that vulnerabilities sometimes escape detection, or new exploits are released before we can identify and remediate them. At CrossCountry Mortgage we investigate all received vulnerability reports and rapidly implement mitigating controls to maintain the security and integrity of our systems and data. If you are a security researcher and have discovered a security vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.

If you identify a verified vulnerability in compliance with CrossCountry Mortgage’s Responsible Disclosure Policy, CrossCountry Mortgage commits to:

• Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission.)
• Work closely with you to understand the nature of the issue and work on timelines for fix/disclose together.
• Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.
• Publicly acknowledge your responsible disclosure (if you request this.)
• Review work effort required to identify and disclose the vulnerability responsibly and offer any applicable compensation.

CrossCountry Mortgage supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities and security/privacy events to our customers and partners in accordance with our defined legal and contractual terms. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

• Allow CrossCountry Mortgage an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue.
• Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
• Do not modify or destroy data that does not belong to you.

CrossCountry Mortgage’s Security GRC team and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.

Vulnerability Disclosure Form