Remote Help 217-698-9900 sales@thinkmcs.com

Security Policy

Guidelines for reporting security vulnerabilities affecting MCS public websites and services.

MCS takes the security of our websites, systems, and customer-facing services seriously. This policy explains how to report a suspected security vulnerability to us and what we expect from anyone performing security research involving MCS-owned public assets.

If you believe you have found a vulnerability, please report it promptly and give us a reasonable opportunity to investigate and correct the issue before sharing details publicly.

How to report a vulnerability

Send security reports to security@thinkmcs.com.

Please include as much useful detail as possible:

  • the affected domain, URL, endpoint, or service
  • a clear description of the suspected vulnerability
  • step-by-step instructions to reproduce the issue
  • screenshots, request and response samples, proof-of-concept code, or logs when helpful
  • the potential impact, including what data or access may be at risk
  • your name or preferred attribution, if you want it included in any acknowledgement

Do not include sensitive customer data in a report unless it is necessary to demonstrate the issue. If you believe sensitive data was exposed, describe the type of data and where it appeared rather than sending full records.

Scope

This policy applies to MCS-owned public websites and internet-facing services, including:

  • thinkmcs.com
  • www.thinkmcs.com
  • public web forms and APIs served from those domains

Systems, domains, cloud tenants, third-party platforms, customer environments, vendor products, employee accounts, and physical facilities are outside the scope of this policy unless MCS gives you written authorization before testing.

Safe testing rules

When researching or validating a vulnerability, you must avoid activity that could harm MCS, our customers, our users, or third parties.

Do not:

  • access, modify, delete, retain, or exfiltrate data that does not belong to you
  • perform denial-of-service testing, stress testing, or automated high-volume scanning
  • send spam, phishing messages, social engineering attempts, or deceptive communications
  • attempt to access employee, customer, vendor, or administrative accounts
  • bypass physical security controls or test MCS facilities
  • install malware, persistence mechanisms, backdoors, or command-and-control tooling
  • pivot from an affected system into another system or network
  • publicly disclose vulnerability details before MCS has had a reasonable opportunity to respond

If you accidentally access data or systems outside what is necessary to confirm the vulnerability, stop testing, preserve only the minimum evidence needed for the report, and notify us immediately.

Out-of-scope findings

The following findings are generally out of scope unless they demonstrate a clear, exploitable security impact:

  • missing or cosmetic HTTP headers without a practical exploit path
  • clickjacking on pages that do not perform sensitive actions
  • rate limiting observations without demonstrated abuse potential
  • automated scanner output without validation
  • email spoofing findings that do not account for current SPF, DKIM, and DMARC behavior
  • TLS configuration preferences that do not enable a practical attack against supported clients
  • user enumeration claims without a meaningful impact
  • self-XSS, logout CSRF, or issues requiring malware or full local device compromise
  • vulnerabilities in third-party services that MCS does not control

We still welcome well-explained reports, but prioritization will be based on real-world risk and exploitability.

Our response process

After receiving a report, we will review the information, attempt to validate the issue, and prioritize remediation based on severity, exploitability, and potential business impact.

Our target response process is:

  • acknowledge receipt within 5 business days
  • provide an initial assessment or request for more information within 10 business days
  • keep the reporter informed when the issue is confirmed and remediation is in progress
  • notify the reporter when the issue has been resolved or otherwise closed

Response timelines may vary depending on complexity, affected vendors, business operations, and whether the report contains enough information to reproduce the issue.

Public disclosure

Please do not publicly disclose vulnerability details until MCS has confirmed the issue has been resolved or has provided written approval for disclosure.

If coordinated disclosure is appropriate, we will work with you on timing and attribution. MCS may decline public attribution for reports that are low impact, duplicate, inaccurate, abusive, or outside this policy.

Compensation

MCS does not operate a public bug bounty program and does not offer compensation for vulnerability reports unless there is a separate written agreement in place before testing begins.

Legal and conduct expectations

This policy is intended to support good-faith security research. Activities that follow this policy, avoid privacy harm, avoid service disruption, and are promptly reported to MCS will be treated as authorized for the limited purpose of vulnerability disclosure.

MCS reserves the right to take action if research activity is harmful, deceptive, destructive, extortive, unlawful, or outside the boundaries described in this policy.

Contact

Security reports: security@thinkmcs.com

General inquiries: Contact MCS