H
Homeschool OS
Log inStart Free Trial

Security & responsible disclosure

Last reviewed: April 30, 2026

Homeschool OS stores records about families and their children. We take security seriously and welcome reports from researchers who help us keep that data safe. This page describes how to reach us, what to expect when you do, and what we promise in return.

How to report a vulnerability

Email: security@homeschoolos.io

We also publish /.well-known/security.txt per RFC 9116 with the same contact and policy.

When you report something, it helps us if your message includes:

  • A clear description of the issue and its impact (what an attacker could do).
  • Reproduction steps, including any URLs, payloads, or accounts involved.
  • The browser, operating system, and date/time when you observed the issue.
  • Any logs, screenshots, or network captures that demonstrate the problem.

Please send the report from an email address we can reply to. PGP is not currently required; we may add an encryption option for sensitive reports on request.

What you can expect from us

  • Acknowledgment within 5 business days of any well-formed report.
  • Triage and severity assessment within 10 business days.
  • A target fix window sized by severity:
- Critical (active exploit, data exposure, account takeover): 30 days, with mitigations or temporary takedowns deployed faster when feasible. - High: 60 days. - Medium / low: scheduled into normal product work; we will keep you updated.
  • Credit, if you want it. With your permission, we will name you in the changelog or on this page when the fix ships. We can also keep your report private if you prefer.
  • No retaliation. We will not pursue legal action against researchers who follow this policy and act in good faith.

We do not currently offer a paid bounty program. If that ever changes, this page will be the canonical announcement.

Safe harbor for good-faith research

If you make a good-faith effort to comply with this policy during your research, we consider that research to be authorized. In particular, we will not:

  • Bring legal action under the Computer Fraud and Abuse Act, the DMCA's anti-circumvention provisions, or comparable state laws against research that is consistent with this policy.
  • Treat such research as a Terms of Service violation.

In return, please:

  • Stop and report as soon as you have established the vulnerability — do not exfiltrate more data than is necessary to demonstrate the issue.
  • Avoid privacy violations. If you encounter another family's data, stop and tell us. Do not save, share, or publish it.
  • Avoid service disruption. No denial-of-service tests, no automated scans that generate excessive load, no destructive testing against production data.
  • Do not phish, social-engineer, or physically test our staff or facilities.
  • Hold reports confidential until we have had a reasonable opportunity to investigate and remediate (typically the fix-window above), then coordinate any disclosure with us.

Out of scope

The following classes of report are typically not eligible for safe harbor or for prioritized handling:

  • Findings from automated tools without a working proof of concept.
  • Reports that require physical access to a victim's device or session.
  • Missing security headers without a demonstrated impact (we already publish a strong header set; gap reports against industry best practice are welcome but informational).
  • Self-XSS, clickjacking on pages with no sensitive actions, or rate-limit / brute-force on endpoints we do not consider sensitive.
  • Issues in third-party services we use (Stripe, Supabase, Vercel, Cloudflare, etc.) — please report those to the upstream vendor; we are happy to help coordinate.

Updates to this policy

We review and update this policy at least annually, and whenever the product changes in ways that materially affect security. The "Last reviewed" date at the top reflects the most recent review.