Security at Morning Consult

At Morning Consult, we prioritize information security and responsible management of the data we are entrusted to process. Security and privacy are central to our organization. Visit our Trust Center for full details about our Information Security Program.

Compliance

Morning Consult’s information security program is aligned with the AICPA SOC2 framework, and we undergo annual SOC 2 Type II audits covering all five Trust Services Criteria: Security, Confidentiality, Availability, Processing Integrity and Privacy. Further, Morning Consult complies with relevant privacy regulations including GDPR and CCPA to ensure the privacy and security of all personal data collected, processed and stored.

Infrastructure

Morning Consult production systems are hosted in Amazon Web Services (AWS) cloud services located in the USA, replicated across multiple intra-region Availability Zones for data durability. AWS maintains state- of-the-art physical, environmental and utility controls, and operates in alignment with leading industry standards including ISO27001, ISO27017, SOC1 and SOC2.
Our cloud infrastructure is architected in alignment with AWS’s Security Reference Architecture, which segregates critical service accounts into separate Organizational Units (OUs) with OU level Service Control Policies to enforce default industry recommended controls. Enforced control policies include management controls, network resource restrictions and machine image configurations. Morning Consult performs regular vulnerability scans and penetration tests, and threat/intrusion detection tools are used to monitor for malicious activity and unauthorized behavior. Systems are regularly updated with relevant security updates and patches.

Data Handling

When you use Morning Consult services, all data-in-transit over any untrusted network is fully encrypted using current industry standard protocols, specifically HTTPS over TLS 1.2 / 1.3. All the data we process to deliver our services is stored encrypted at rest using AES-256 encryption. Morning Consult additionally supports Single-Sign-On (SSO) via a SAML 2.0 integration with your identity provider to both simplify access as well as ensure compliance with your authentication policies.

Responsible Disclosure at Morning Consult 

At Morning Consult, we welcome responsible, good-faith efforts by security researchers to help identify potential security issues. We encourage responsible disclosure of security vulnerabilities and are committed to working collaboratively with researchers to investigate and remediate valid issues.

Our commitment

When you report a potential security issue to Morning Consult, we commit to:

• Treating all researchers with respect and professionalism

• Maintaining confidentiality throughout the disclosure process

• Acknowledging receipt of your report in a timely manner

• Working with you to validate and remediate confirmed vulnerabilities

• Coordinating disclosure in a way that protects our customers, users and systems

Addressing reported vulnerabilities may take time depending on severity, complexity, and affected systems, but we aim to communicate clearly throughout the process.

Our Expectations of Researchers

We ask that you:

• Act in good faith and avoid actions that could harm users, customers, or system availability

• Provide clear, detailed reproduction steps and sufficient information to allow us to validate your report efficiently

• Limit testing to systems and activities explicitly in scope

• Avoid accessing, modifying, or retaining sensitive data beyond what is necessary to demonstrate impact

• Refrain from publicly disclosing details of the vulnerability until remediation is complete and disclosure is coordinated with us

• Comply with all applicable laws and regulations

Scope:

In scope

• Publicly accessible Morning Consult owned domains/subdomains, web applications, APIs and services

Out of scope activities include, but are not limited to:

• Physical security testing of offices, employees, or equipment

• Social engineering, phishing, or other non-technical attacks

• Denial-of-service (DoS/DDoS) or resource exhaustion testing

• Accessing, downloading, or modifying data belonging to other users or customers

• Testing that results in spam, unsolicited messages, or abuse of services

• Testing third-party services, integrations, or infrastructure not owned by Morning Consult

• Defacement or persistent modification of assets

Vulnerability Reporting

Please report potential security vulnerabilities by emailing: security@morningconsult.com

For initial contact:

• Do not include highly sensitive information (such as real user credentials, private keys, or full datasets).
• Include:
  • Affected system or URL
  • A clear description of the issue
  • Step-by-step reproduction instructions
  • The potential impact or security risk
  • Any relevant screenshots or proof-of-concept details (redacted as appropriate)

Secure Communication

If encrypted communication is required, please indicate this in your initial email.  We are happy to establish a secure communication channel when warranted based on sensitivity or upon request.

Bug Bounties

Morning Consult does not offer monetary rewards or bug bounties for vulnerability reports.
We believe responsible disclosure is best supported through clear communication and timely remediation rather than financial incentives. With a reporter’s permission, we are happy to acknowledge responsible disclosures publicly or privately.

Coordinated Disclosure

We follow a coordinated disclosure approach and ask that vulnerabilities not be publicly disclosed until remediation is complete or disclosure has been mutually agreed upon. Disclosure timelines may vary based on severity and risk, but we strive to work collaboratively and transparently throughout the process.

Thank You

We appreciate the efforts of the security research community in helping keep Morning Consult and our customers secure. Your responsible disclosures help strengthen our systems and services for everyone.