Posture
TLS everywhere, modern ciphers, and edge security via Cloudflare. Secrets that the Worker reads at runtime (Stripe keys, webhook secret) live in Cloudflare Secrets Store, not in code or environment files. The 2FA policy on operator accounts is YubiKey/WebAuthn on every service that supports it; TOTP on services that do not. SMS-2FA is excluded.
Audit log
We track every claim against reality so this page and the running system stay aligned. Last reviewed 2026-05-26.
| Control | Status | Verification |
|---|---|---|
| TLS 1.3 with modern ciphers | Shipped | Cloudflare edge serves TLS 1.3 with TLS_AES_256_GCM_SHA384; cert via Google Trust Services. |
| Secrets in Cloudflare Secrets Store | Shipped | The checkout Worker reads three Stripe secrets through secrets_store_secret bindings, not from environment text or source. |
| SPF (sender policy) | Shipped | v=spf1 include:_spf.mx.cloudflare.net ~all at the apex. |
| DMARC (monitoring mode) | Shipped 2026-05-26 | p=none with aggregate reports forwarded to a dedicated mailbox. We will tighten to p=quarantine after 2–4 weeks of clean reports. |
| DKIM (outbound signing) | Deferred | Cloudflare Email Routing is receive-only. DKIM becomes relevant when an outbound sender (e.g. Resend) is wired; tracked alongside that work. |
| HSTS | Deliberately off | HSTS pins clients to HTTPS for a fixed period and is hard to cleanly reverse during early launch. We will enable it once the live posture is stable. |
| security.txt | Shipped | Served at /.well-known/security.txt with disclosure contacts and expiry. |
| Email aliases referenced on the site | Shipped 2026-05-26 | All addresses linked from any page (security, privacy, accessibility, hotline-ops, report-fraud, press, legal, hello) route to the operator inbox. |
| YubiKey / WebAuthn on operator accounts | In progress | Per-service enrollment is tracked in our internal setup queue. Services that support WebAuthn use YubiKey; the rest use TOTP. SMS-2FA is forbidden. |
If a specific control is not listed, email security@thefamilyword.com and we will tell you its state on the record.
Hosting
Cloudflare Workers serves the static assets, Cloudflare runs the DNS, and R2 stores binary assets.
Data minimization
We collect only what is needed for fulfillment and routing. See the privacy policy for the full list.
Receipt content
Receipts and routing confirmations include only the minimum personal information needed to identify the order or call.
Responsible disclosure
Email security@thefamilyword.com (or hello@thefamilyword.com). Include reproduction steps and your contact information. We acknowledge within 2 business days and aim to triage within 5.
Safe harbor
We will not pursue legal action against good-faith researchers who follow our scope and disclosure timeline.
Scope (in)
- thefamilyword.com
- The hotline service
- Any *.thefamilyword.com subdomain
Scope (out)
- Testing on third-party services (Stripe, Twilio infrastructure).
- Social engineering of staff.
- Denial-of-service or load testing.
- Physical attacks.
Not in scope (accepted risk)
- Low-severity automated scanner reports without a working exploit.
- Missing best-practice headers absent a real vulnerability.
- Public-information disclosure of the LLC name or registered address.
security.txt
Our machine-readable disclosure contact lives at https://thefamilyword.com/.well-known/security.txt.
Hall of fame
We will list researchers who report verified issues, with permission. Be the first.
Contact
Security questions: security@thefamilyword.com (or hello@thefamilyword.com).
Questions? Contact us.