Freddie Mac monitors activity on our applications, websites, and other computer systems as part of our overall information security program. We believe effective disclosure of security vulnerabilities requires mutual trust, respect, transparency and common good between Freddie Mac and Security Researchers.

The purpose of this Vulnerability Disclosure Policy is to establish guidelines for security researchers and the wider community to be responsible and disclose potential vulnerabilities in our systems. This policy aims to promote collaboration between our company and the security community, fostering a more secure digital environment.


This policy applies to all internet-facing assets, including web applications and any associated infrastructure owned or managed by our organization.

Vulnerability Reporting

If you believe you have discovered a security vulnerability, please report it using the mail link below.

Report potential vulnerabilities to us.

Please copy and paste the following into your email body and fill out as best you can:

  • Submission title: [A short title of the vulnerability or email subject line]
  • Location: [Servername/URL/Application]
  • Any technical information on how to reproduce:
  • Potential impact:
  • Description of vulnerability (CVE if available): [Help us get an idea of what this vulnerability is about.]
  • Additional Context:
  • Email of reporter:
  • Company (if applicable):

Our platform vendor (Bugcrowd) provides screening and initial triage to validate vulnerabilities. The Bugcrowd Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution.

Please note that submissions of vulnerabilities will require agreement to Bugcrowd’s terms and conditions. Freddie Mac does not offer a bug bounty reward program.

We encourage responsible disclosure and ask that you adhere to the following guidelines.

  • Do not disclose the vulnerability outside of this Vulnerability Disclosure Program.
  • Do not violate any laws.
  • Do not disrupt services (DoS/DDoS).
  • Do not access, modify or destroy any accounts or data that does not belong to you.
  • Do not introduce malicious or monitoring software.

Legal Considerations

We do not authorize any activities that violate applicable laws, regulations or guidelines in this policy. Reporters must respect the legal boundaries of their actions.


This policy does not cover social engineering attacks, phishing attempts, or any actions that could compromise the privacy and security of our users.