We welcome reports of security vulnerabilities. Please follow these steps:

1. Email security@myparent.app with a detailed description of the issue, proof-of-concept steps, and potential impact.
2. Encrypt sensitive details with our PGP key (available on the company wiki) when possible.
3. Allow us at least 10 business days to acknowledge and respond, and coordinate on disclosure timelines before making findings public.
4. Do not create public GitHub issues for security reports.

We appreciate responsible researchers and will credit validated reports in our release notes.

Security fixes target the main branch. Deployments should stay within one minor release of the latest tag to receive patches.

• Run npm audit and npm outdated monthly in CI and remediate critical/high vulnerabilities immediately.
• Use Dependabot or Renovate to automate npm dependency updates.
• After Prisma upgrades, regenerate the client (npm run -w apps/api build) and redeploy migrations.

• Local development uses .env with dotenv loading; never commit .env files.
• Production secrets (e.g., JWT_SECRET, admin bootstrap credentials) must be sourced from a secret manager (AWS SSM, Vault, Doppler, etc.) and injected via environment variables at runtime.
• Rotate JWT_SECRET during maintenance windows; all sessions become invalid upon rotation.

• session cookies are HttpOnly and SameSite=Lax by default.
• Set COOKIE_SECURE=true in any environment served over HTTPS so cookies are only transmitted via TLS.
• Behind a TLS-terminating load balancer, ensure the proxy forwards X-Forwarded-Proto=https so nginx can redirect HTTP to HTTPS if configured.

• Restrict Docker daemon access to trusted operators.
• Regularly prune unused images (docker image prune) to reduce attack surface.
• Mount the api_data volume with proper filesystem permissions and nightly backups.
• Enable firewall rules so only ports 80/443 are public; API container is exposed internally only.