MSMCPScan

Terms

Last updated: July 15, 2026

These terms describe the current MCPScan fixed-scope audit service. They are a practical operating policy, not a substitute for legal advice or a negotiated master services agreement.

Service

MCPScan provides focused production-readiness reviews of MCP server configuration, tool exposure, permissions, secret exposure, transport signals, and related evidence provided by the customer.

Scope

Each package is limited to the server, environment, delivery, call, and re-scan limits described at purchase. Scope changes require written approval before work continues.

Authorization

The customer must have authority to submit all reviewed materials and authorize the review. MCPScan does not perform live exploitation, penetration testing, social engineering, destructive testing, or remediation implementation unless separately agreed in writing.

Customer Materials

Customers should provide sanitized configs or safe test targets where possible. Do not send raw production credentials, tokens, private customer data, or unrelated source code through public issues or ordinary email.

Deliverables

Deliverables may include a written report, inventory, findings, remediation checklist, findings call, buyer-facing summary, and re-scan depending on the package purchased.

No Guarantee

MCPScan audits are not compliance certifications, legal opinions, security guarantees, or complete penetration tests. Findings reflect the reviewed snapshot and materials available at the time of assessment.

Payment

Payment is due before audit work begins unless otherwise agreed. The delivery clock starts after intake materials are complete.

Contact

Until a dedicated domain mailbox is live, use the GitHub audit request flow for sanitized scope questions.