Learning Parenting

Security

Responsible disclosure

Families trust us with sensitive moments — birthdays, medical notes, photographs of small humans. If you’ve found something that could break that trust, we want to hear from you before anyone else does.

How to report

Email security@learningparenting.com. Please include a clear description of the issue, steps to reproduce, the impact you believe it has, and any proof-of-concept you’re comfortable sharing. We aim to acknowledge reports within two business days.

Our machine-readable contact details live at /.well-known/security.txt (RFC 9116).

What we ask of you

  • Give us a reasonable window to fix the issue before any public disclosure. Ninety days is the conventional ceiling; we will move faster on anything that actively endangers families.
  • Don’t access, alter, or exfiltrate data that isn’t clearly your own test account. If you stumble into someone else’s data while testing, stop and tell us.
  • Don’t run automated scans or load tests that could degrade the service for real parents. A single targeted request is almost always enough to demonstrate impact.
  • Don’t use social engineering, physical attacks, or denial-of-service to demonstrate a finding.

What you can expect from us

  • Acknowledgement within two business days. A more substantive triage reply within seven.
  • Status updates as we work through the fix, and a heads-up before we ship the patch.
  • Public credit on this page if you’d like it (and quiet gratitude if you wouldn’t).
  • No legal action against good-faith security research that follows this policy. We treat you as an ally, not an adversary.

In scope

  • learningparenting.com and its subdomains.
  • The web app, the installable PWA, and our public APIs.
  • Our authentication, billing, gifting, and data-export flows.

Out of scope

  • Reports generated only by automated scanners with no demonstrated impact.
  • Missing security headers on endpoints that don’t serve sensitive content (we welcome the heads-up, but it isn’t a vulnerability on its own).
  • Rate-limit reports without a credible abuse story attached.
  • Issues in third-party services we depend on (Clerk, Stripe, Vercel, etc.) — please report those to the vendor directly.
  • Self-XSS, clickjacking on pages with no sensitive state, and issues that require a fully compromised user device.