Security and Responsible Disclosure

Last updated: May 7, 2026.

Our security posture

Parker Smart Kids takes security seriously, especially because the service handles family data and a paid product. Our protections include:

• HTTPS everywhere with HSTS preload (the site cannot be loaded over plain HTTP)
• Content Security Policy restricting script and connect sources
• X-Frame-Options to prevent clickjacking
• X-Content-Type-Options to prevent MIME-type sniffing attacks
• Referrer-Policy and Permissions-Policy minimizing data exposure
• Bcrypt password hashing (we never store cleartext passwords)
• PCI-DSS Level 1 compliant payment processing through Stripe (we never see card numbers)
• Edge-cached delivery via Cloudflare with DDoS protection
• Minimal data collection — we only store what we need to deliver the service

Reporting a vulnerability

If you find a security vulnerability, please report it privately so we can fix it before it can be exploited. We welcome and appreciate responsible disclosure.

How to report

• Email: security@parkersmartkids.com
• Include: a description of the issue, steps to reproduce, the affected URL or component, and any proof-of-concept output. Please do not include real user data.

What we ask

• Give us a reasonable time (typically 30-90 days) to fix the issue before public disclosure.
• Do not access, modify, or destroy data belonging to other users.
• Do not attempt to extract data, run automated denial-of-service tests, or use social engineering against staff.
• Do not test the live payment system with real money — contact us first to coordinate a safe test path.

What you can expect from us

• Acknowledgment of your report within 2 business days.
• An update on the status within 7 business days.
• Credit (with your permission) in our security acknowledgments page once the issue is resolved.

Out of scope

• Reports from automated scanners with no demonstrated impact
• Issues already publicly disclosed
• Theoretical issues without a working proof of concept
• Social engineering of our staff or family members

Bug bounty

We don't currently run a paid bug bounty program, but we recognize researchers publicly with their permission and respond promptly to valid reports.