Security & Vulnerability Disclosure

Last Updated: July 3, 2026

Effective Date: July 3, 2026
Last Updated: July 3, 2026
Version: 2.0


Our Commitment to Security

At MHC Information Services, LLC (MHCIS), security is part of how we engineer and operate. We serve regulated industries, including financial services, insurance, and healthcare, and we value the security research community. Responsible, coordinated disclosure of vulnerabilities helps us protect our systems, our services, and the people who rely on them.

This page describes our coordinated vulnerability disclosure policy and the real security controls we operate. We claim only what we can substantiate.

Coordinated Vulnerability Disclosure

We encourage security researchers and users to report potential vulnerabilities to us. We commit to working with you in good faith to understand, validate, and remediate legitimate security issues.

Scope

This policy applies to vulnerabilities discovered in:

In Scope

  • Primary Website: mhcis.com and its subdomains
  • Web Applications: Our customer-facing applications and portals
  • APIs: Our public and authenticated API endpoints
  • Infrastructure: Our cloud infrastructure configurations and deployments
  • Third-Party Integrations: Security issues in our implementations of third-party services

Out of Scope

The following are explicitly excluded from this policy:

  • Social engineering attacks (phishing, vishing, and similar)
  • Physical security testing
  • Denial of Service (DoS/DDoS) attacks and volumetric testing
  • Spam or social media account takeovers
  • Issues in third-party services we do not control
  • Previously reported or already known vulnerabilities
  • Non-security-related bugs

What to Report

We are interested in learning about vulnerabilities such as:

Higher Priority

  • Authentication Issues: Bypass mechanisms, credential leaks, session management flaws
  • Authorization Flaws: Privilege escalation, insecure direct object references (IDOR)
  • Injection Vulnerabilities: SQL injection, command injection, cross-site scripting (XSS)
  • Cryptographic Failures: Weak encryption, insecure key handling, sensitive data exposure
  • Security Misconfigurations: Exposed admin interfaces, default credentials, unnecessary services
  • Broken Access Control: Unauthorized data access or modification

Medium Priority

  • Cross-Site Request Forgery (CSRF)
  • Server-Side Request Forgery (SSRF)
  • Information Disclosure: Sensitive information in responses, error messages, or logs
  • Business Logic Flaws: Bypassing intended workflows or restrictions
  • API Security Issues: Rate-limiting bypasses, improper input validation

Lower Priority (Still Valued)

  • Missing security headers
  • Outdated software versions (with demonstrated exploitability)
  • TLS/SSL configuration issues
  • Clickjacking (on sensitive pages)

What NOT to Report

The following are generally not considered actionable vulnerabilities:

  • Content injection without demonstrated XSS
  • Missing rate limiting without demonstrated abuse potential
  • Missing cookie flags on non-sensitive cookies
  • Theoretical vulnerabilities without a proof of concept
  • Reports from automated scanners without validation
  • Issues requiring extensive user interaction or unlikely scenarios
  • Best-practice suggestions without security impact

How to Report a Vulnerability

Preferred Method: Email

Send detailed reports to: contact@mhcis.com

Subject Line: [SECURITY] Brief Description of Vulnerability

Alternative Method: Phone

For urgent security matters: +1 (803) 881-3889

security.txt

We publish a standard security.txt file at:
https://mhcis.com/.well-known/security.txt

What to Include in Your Report

Please provide as much detail as possible:

  1. Vulnerability Type: For example SQL injection, XSS, or IDOR
  2. Affected URL or Endpoint: The specific location of the vulnerability
  3. Steps to Reproduce: Clear, numbered steps we can follow
  4. Proof of Concept: Screenshots, video, or code samples
  5. Impact Assessment: What an attacker could achieve
  6. Your Recommendation: Suggested remediation, if you have one
  7. Your Contact Information: So we can follow up with questions

Encrypted Communication

We do not currently publish a PGP key. If you require an encrypted channel for a sensitive disclosure, please contact us and we will arrange one.

Our Response Process

Acknowledgment Targets

The following are targets we aim to meet, not contractual guarantees:

  • We aim to acknowledge your report within 2 business days.
  • We aim to provide a preliminary assessment within 5 business days.
  • We aim to share a remediation plan or timeline within 10 business days.

Timing may vary with the complexity and severity of the issue. We will keep you informed.

Investigation and Remediation

  1. Triage: We assess the severity and potential impact.
  2. Validation: We attempt to reproduce the issue.
  3. Fix Development: Our engineering team develops and tests a fix.
  4. Deployment: We deploy the fix.
  5. Verification: We confirm the vulnerability is resolved.
  6. Disclosure: We coordinate any public disclosure with you.

Communication

We aim to keep you informed throughout the process, provide status updates, and coordinate disclosure timing with you. With your permission, we are glad to credit your contribution.

Disclosure Policy

Coordinated Disclosure

We practice coordinated disclosure that protects users while giving fair credit to researchers. We request:

  • Up to 90 days from your initial report before any public disclosure, to allow time to remediate
  • Coordination with us on disclosure timing
  • No public disclosure until the issue is fixed or the 90-day window has elapsed, whichever comes first

Public Disclosure

After a fix is deployed, we may publish a security advisory for significant issues and, with your permission, credit you in our release notes.

No Paid Bug Bounty

MHCIS does not operate a paid bug bounty program at this time, and we do not maintain a public researcher hall of fame. We value good-faith security research and will acknowledge valid reports and, with your permission, credit your contribution. We may introduce a formal program in the future; this policy will be updated if we do.

We support security researchers who:

  • Act in good faith
  • Follow this coordinated disclosure policy
  • Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
  • Do not intentionally harm users, data, or the availability of our services
  • Do not publicly disclose the issue before we have had a reasonable opportunity to address it

For research conducted consistent with this policy, we commit to:

  • Treat your activities as authorized conduct under this policy
  • Not pursue or support legal action against you for good-faith testing and reporting carried out in accordance with this policy
  • Work with you to understand and resolve the issue

If a third party initiates legal action against you in connection with activities conducted in compliance with this policy, we will take reasonable steps to make known that your actions were authorized under this policy. This policy does not authorize actions that violate applicable law, and it does not limit rights against conduct outside its terms.

Security Controls We Operate

We describe below the controls we actually implement on this site and its supporting stack.

Application and Transport Security

  • TLS/HTTPS enforced site-wide, with HTTP Strict Transport Security (HSTS)
  • Content Security Policy (CSP) and modern security response headers
  • Vercel BotID for invisible bot mitigation on forms, plus server-side rate limiting
  • Sentry for error and exception monitoring

Privacy-Preserving Design

  • IP addresses are hashed, not stored in raw form
  • Analytics are consent-gated and honor Global Privacy Control (GPC)
  • Self-hosted fonts, with no third-party font CDN calls

Engineering and Access

  • Secure software development lifecycle (SDLC) with dependency review
  • Infrastructure-as-code for repeatable, reviewable configuration
  • Least-privilege access to systems and data
  • Software engineered in-house, not outsourced

Hosting and Data Protection

  • Hosting on Vercel and Microsoft Azure (US regions)
  • Encryption in transit via TLS
  • Encryption at rest provided by the underlying cloud platforms (Vercel and Microsoft Azure)

Compliance and Framework Posture

  • NIST Cybersecurity Framework: Our security program is aligned to the NIST CSF (Identify, Protect, Detect, Respond, Recover).
  • SOC 2 Type II: Audit in progress. A report has not yet been issued.
  • PCI-DSS: Self-Assessment Questionnaire (SAQ) completed as a service provider. Attestation of Compliance (AOC) available on request.
  • HIPAA Security Rule: We engineer to the HIPAA Security Rule and will sign a Business Associate Agreement (BAA) for engagements involving protected health information (PHI). There is no such thing as HIPAA certification, and clients remain responsible for their own risk analysis.
  • Insurance: MHCIS carries cyber and errors and omissions (E&O) insurance. A Certificate of Insurance (COI) is available on request.

We do not hold any other certifications and do not claim any beyond those stated above.

Incident Response

If we identify or are notified of a security incident, we work to contain it, assess its scope and impact, notify affected parties as required by applicable law, remediate, and conduct a post-incident review. We do not operate a staffed 24/7 security operations center; incident response is handled by our engineering team using the monitoring and tooling described above.

Contact Information

  • Security, Legal, and Privacy: contact@mhcis.com
  • Phone: +1 (803) 881-3889 (Monday to Friday, 9:00 AM to 5:00 PM Eastern)
  • Address: 1325 Park Street, Suite 200, Columbia, SC 29201

Governing Law

This policy is governed by the laws of the State of South Carolina, USA, without regard to its conflict-of-laws principles.

Policy Updates

We may update this policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Significant changes may be communicated through our standard channels.


Acknowledgments

We thank the security research community for its ongoing work to keep systems and people safe. Your good-faith efforts help protect our organization and everyone who relies on our services.


MHC Information Services, LLC, a security and software engineering firm.

Back to Home