Skip to main content

Discord Bot Security

This talks about how you should treat security researchers and set up proper security contact channels.

Do's and Dont's

Do's and Dont's for whitehat security researchers.

Do:

  • Respond to vulnerabilities nicely
  • Make sure to request extra time if you need it, but fix it in 90 days
  • Keep them in the loop

Dont:

  • Threathen a legal action
  • Respond agressively
  • Ghost them

Setting up proper disclosure channels

You should set up a .well-known/security.txt (RFC 9116), this is what most researchers check for for contacts.

Setting up encrypted/protected messaging

You should have a encrypted way of researchers to reach out to you, the easiest way to do this is PGP via email, as en example, you can see Dank Memer's security.txt, they have signed their actual security.txt with their PGP key and included a link to their public key.

Security researchers will use this public key to encrypt messages to you via the communication channel you provided.

Getting started on PGP Encryption

Bug bounties

HackerOne is a great way to setup your disclosure channels, easily. Setup a profile, offer a bug bounty and do the above and you are done :).

If you want, you can also do manual bug bounty.

Disclosure Policy

You should outline a list of in-scope systems, out of scope systems, expectations in your disclosure policy, as seen in Dank Memer's Disclosure Policy or Discord's Disclosure Policy.