Security

What is in place

• Hashed passwords with one-time email verification and reset tokens
• Cookie auth, antiforgery on browser posts, and route protection by role
• Consent gating, direct notice, parent verification, and data-rights workflows
• Billing webhook verification and event logging
• Correlation IDs, health checks, and operational event logging

How to report a security issue

Please email [email protected] with the subject line Security report. Include reproduction steps, affected route, and any screenshots or logs that help us reproduce the issue.

A machine-readable disclosure notice is also published at /.well-known/security.txt.