# Security Policy

## Reporting a vulnerability

If you believe you have found a security vulnerability in MJE Part Shop, please email **security@part-shop.pages.dev** with:

- A description of the issue
- Steps to reproduce
- Affected endpoints or code paths
- Your contact information

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and fix it. We aim to acknowledge reports within 3 business days and provide a remediation timeline within 10 business days.

## Scope

In scope:
- Authentication and authorization flaws
- Cross-tenant data leakage between schools
- XSS, injection, or prototype pollution
- Forgery of tokens or bypassing HMAC verification
- Information disclosure of student data
- Child-safety issues (content moderation gaps, moderation bypass)

Out of scope:
- DoS attacks
- Social engineering of school staff
- Physical security of school devices

## Our security practices

- HMAC-SHA256-signed session tokens verified on every data endpoint
- TLS 1.3 in transit
- No hard-coded secrets in the repository
- Per-school tenant isolation
- Input sanitization on student-supplied fields
- No third-party trackers or analytics that transmit student data
- Regular review of the data access surface as the Service evolves

## Disclosure

We will credit reporters who responsibly disclose security issues, unless they request otherwise.