Security Policy

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any MCL Web Solutions system, service, or application, we encourage you to report it to us immediately.

Please submit your report to: security@mclwebsolutions.com

Include as much detail as possible to help us understand and reproduce the issue, including:

• Description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Affected systems, URLs, or components
• Any proof-of-concept code or screenshots (if applicable)
• Your contact information for follow-up

Our Commitment

Upon receiving a vulnerability report, MCL Web Solutions commits to:

• Acknowledge receipt of your report within 48 business hours
• Provide an initial assessment within 5 business days
• Keep you informed of our progress throughout the investigation
• Notify you when the vulnerability has been remediated
• Recognize your contribution (with your permission) once the issue is resolved

Disclosure Timeline

We request that security researchers allow us a reasonable timeframe to investigate and address reported vulnerabilities before public disclosure.

Standard disclosure timeline: 90 days from initial report

We will work diligently to resolve critical vulnerabilities as quickly as possible. If additional time is required, we will communicate this clearly and work with you to establish a mutually agreeable disclosure timeline.

Responsible Research Guidelines

To ensure the safety and security of our systems and users, we ask that security researchers:

• Do not access, modify, or delete data belonging to others
• Do not perform testing that could degrade or disrupt our services
• Do not use social engineering, phishing, or physical attacks against our employees or infrastructure
• Do not publicly disclose the vulnerability before we have had adequate time to address it
• Make a good faith effort to avoid privacy violations and data destruction
• Only interact with accounts you own or have explicit permission to access

Safe Harbor

MCL Web Solutions supports security research conducted in accordance with this policy. We will not pursue legal action against researchers who:

• Follow the guidelines outlined in this policy
• Report vulnerabilities promptly and in good faith
• Avoid intentional harm to our systems, data, or users
• Respect the confidentiality of any discovered vulnerabilities

We consider security research conducted under this policy to be authorized testing and will not initiate legal proceedings for activities that comply with these guidelines.

Out of Scope

The following issues are considered out of scope and should not be reported:

• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
• Social engineering attacks against MCL Web Solutions staff or contractors
• Physical security testing of MCL Web Solutions facilities
• Reports from automated scanning tools without validation
• Issues affecting outdated or unsupported browsers
• Missing security headers that do not lead to a demonstrable vulnerability
• Clickjacking on pages with no sensitive actions
• SPF/DKIM/DMARC records on domains not used for email