Customer trust through continual product availability and information integrity is the guiding principle of CoStar Group's Information Security Program.
Our Chief Technology Officer and Vice President of Cybersecurity oversee teams, strategies and programs to protect, employees, customers and information in accordance with all applicable laws and industry-leading practices.
Our global information security program is fundamentally aligned with ISO 27001 and aligned with the European Union's General Data Protection Regulation (GDPR).
All our payment card impacted products and applications comply with PCI DSS Level 2 requirements. Our CoStar Risk Analytics and CoStar Real Estate Manager services maintain SOC 1, Type 2 attestation reports. Additionally, our CoStar Real Estate Manager and CoStar for Lenders services maintain SOC 2, Type 2 attestation reports.
Documents
Self-Assessments
Self-Assessments
We are working on our security compliance. We can provide completed questionnaires upon request.
Reports
Reports
We may provide security-related reports upon request.
CoStar Group's Response to Ivanti Connect Secure Vulnerability (CVE-2025-0282)
On January 8, 2025, CoStar Group learned of a vulnerability associated with the Ivanti Connect Secure product (CVE-2025-0282). CoStar Group uses the Ivanti Connect Secure application to support some remote access cases. CoStar Group took immediate steps to review the vulnerability and its presence in CoStar Group's environment.
As of January 9, 2025, CoStar Group has fully remediated the vulnerability. CoStar Group performed an investigation and found no signs of compromise or unauthorized access related to this vulnerability.
CoStar Group continues to monitor guidance from the Cybersecurity and Infrastructure Security Agency, Ivanti, the company's third parties, and other leading cybersecurity authorities regarding the Connect Secure application. Please monitor the company's Trust Center for additional updates, as required.
If you need help using this Trust Center, please contact us.
If you think you may have discovered a vulnerability, please send us a note.