purpose & intent

The purpose of this policy is to ensure that all security testing activities are conducted in a controlled, authorized, and compliant manner that:

✓ Protects the confidentiality, integrity, and availability of systems and data
✓ Prevents unintended service disruption or data exposure
✓ Aligns with regulatory expectations applicable to the mortgage and financial services industry
✓ Maintains trust with our clients, partners, and end users

scope & coverage

This policy applies to all security testing performed on:

✓ Codeintel corporate systems and infrastructure
✓ The mBig platform (including CMS, APIs, dashboards, and integrations)
✓ Client environments hosted or managed by Codeintel
✓ Associated domains, subdomains, and cloud resources

Security testing includes, but is not limited to:

✓ Penetration testing (web application, API, network)
✓ Vulnerability scanning
✓ Configuration and infrastructure assessments
✓ Authentication and authorization testing
✓ Business logic and abuse-case testing

authorization requirements

No security testing may be performed without explicit written authorization from Codeintel.

All testing must be approved through a formal process that includes:

✓ A signed Authorization to Test document
✓ A defined Scope of Work (SOW)
✓ Named individuals authorized to conduct testing
✓ Approved testing window and duration

Unauthorized testing is strictly prohibited, may be treated as malicious activity and may become subject to legal action.

approved testing standards

All security testing must adhere to recognized industry standards, including:

✓ OWASP Top 10 and OWASP Testing Guide
✓ PTES (Penetration Testing Execution Standard)
✓ NIST SP 800-115 (Technical Guide to Information Security Testing)

Testing must include both automated and manual techniques, with emphasis on real-world attack simulation and business logic validation.

scope control

All testing must be strictly limited to approved assets defined in the Scope of Work. The following must be explicitly defined prior to testing:

✓ In-scope domains, IPs, applications, and APIs
✓ Out-of-scope systems and restricted assets
✓ Testing types (authenticated vs unauthenticated)

Testing outside of approved scope is prohibited.

rules of engagement

To protect system stability and data integrity, the following rules apply:

✓ No Denial-of-Service (DoS) or destructive testing without explicit approval
✓ No exploitation beyond proof-of-concept
✓ No modification, deletion, or corruption of production data
✓ Testing must respect defined rate limits and system thresholds
✓ Immediate suspension of testing if system instability is detected

data protection & privacy

All parties performing testing must adhere to strict data protection standards:

✓ No unauthorized data exfiltration
✓ Any sensitive data accessed must be minimized and handled securely
✓ Data must be encrypted in transit and at rest
✓ PII must not be stored unless explicitly authorized and must be redacted where possible
✓ All testing data must be securely deleted within an agreed timeframe

access & credential management

Where testing requires authenticated access:

✓ Codeintel will provide temporary, scoped test accounts
✓ Least-privilege access will be enforced
✓ Multi-factor authentication (MFA) will be used where applicable
✓ All credentials must be securely stored and destroyed after testing

monitoring & incident response

All testing activities are subject to monitoring and logging. In the event of a critical finding or incident:

✓ Immediate notification to Codeintel is required
✓ A real-time escalation channel must be maintained during testing
✓ Codeintel reserves the right to suspend testing at any time

reporting requirements

All security testing engagements must include comprehensive reporting:

✓ Executive summary (business impact focused)
✓ Detailed technical findings
✓ Risk severity ratings (e.g., CVSS)
✓ Proof-of-concept evidence
✓ Clear remediation recommendations

Reports must be delivered within the agreed timeframe and in a format suitable for both technical and executive audiences.

retesting & validation

All identified vulnerabilities must be validated after remediation:

✓ At least one retesting cycle is required
✓ A validation report confirming resolution must be provided

legal & compliance

All testing must comply with applicable laws, regulations, and contractual obligations:

✓ All parties must sign confidentiality agreements (NDA)
✓ Testing must comply with data protection and privacy laws
✓ Liability and indemnification terms must be clearly defined

Codeintel reserves all rights to enforce legal action in the event of unauthorized or negligent activity.

internal preparation

Prior to approving any testing engagement, Codeintel will:

✓ Perform system and database backups
✓ Notify hosting, CDN, and security providers
✓ Enable enhanced monitoring and logging
✓ Inform internal stakeholders

continuous security commitment

Security testing is part of Codeintel’s broader commitment to continuous improvement. We regularly evaluate and enhance our security posture through:

✓ Ongoing vulnerability assessments
✓ Periodic penetration testing
✓ Secure development practices
✓ Compliance and risk management programs

Our objective is to maintain a resilient, secure, and compliant platform that protects our clients and their customers at every level.

contact information

For questions regarding this policy or to request authorization for security testing, please contact:

✓ Email: info@codeintel.com
✓ Website: https://codeintel.com