Contact: mailto:team@riverschool.app
Expires: 2027-04-24T00:00:00.000Z
Preferred-Languages: en
Canonical: https://riverschool.app/.well-known/security.txt
Policy: https://riverschool.app/security

# River School — security disclosure policy
#
# We welcome reports of security issues that affect the confidentiality
# or integrity of child or family data. River School is a COPPA-
# regulated service; security issues affecting child accounts are
# treated as the highest severity.
#
# Scope: *.riverschool.app and anything it reaches (Supabase project
# lunyumahgmuxzbiouzsm).
#
# Please include:
#   - a short description of the issue
#   - reproduction steps
#   - what data you believe is at risk
#
# Please do not:
#   - test against live child accounts you don't own
#   - exfiltrate more data than necessary to demonstrate the issue
#   - publicly disclose before we have a chance to fix (30-day window
#     from first response; longer if the issue requires schema changes)
#
# We don't have a cash bounty yet. We do credit reporters publicly
# (with permission) on the security page.