Security policy

Reporting a vulnerability

Found something concerning? Please tell us privately by email — don't file a public GitHub issue. We read every report and will get back to you fast.

security@esaycoparenting.com

What's in scope

These surfaces are fair game for responsible disclosure:

• esaycoparenting.com and its subdomains
• Our REST API at /api/v1/*
• Our official mobile apps (once they're live in the App Store and Play Store)

What's out of scope

These aren't ours to fix — please report them to the upstream vendor instead:

• Third-party services like Stripe, Supabase, Sentry, Resend, Twilio, PostHog, and Upstash
• Social engineering against our team or our users
• Denial of service (DoS / DDoS) and volumetric attacks
• Physical attacks against infrastructure or staff

Safe harbor

We won't take legal action against good-faith security research that follows this policy. Stay inside the scope above, don't touch data that isn't yours, don't degrade the service for other parents, and give us a reasonable window to respond before going public. We'll do our part too.

What you can expect from us

• Initial reply within 24 hours
• A triage update within 7 days
• A fix — or a clear accepted-risk decision — within 30 days

No paid bounty (yet)

We don't fund a paid bug bounty right now. If you'd like public credit, we're happy to add validated reporters to a hall-of-fame on this page — just say the word.