We release patches for security vulnerabilities in the following versions:

Please do not report security vulnerabilities through public GitHub issues.

We take the security of BotFortress seriously. If you believe you have found a security vulnerability, please report it to us as described below.

Email: security@botfortress.admension.workers.dev (or create a private security advisory on GitHub)

Please include the following information in your report:

• Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

• Initial Response: Within 48 hours
• Status Update: Within 7 days with assessment and expected timeline
• Fix Timeline: Critical issues within 30 days, others within 90 days
• Public Disclosure: After fix is deployed, coordinated with reporter

• Security researchers are encouraged to follow responsible disclosure practices
• We request 90 days before public disclosure to allow time for patching
• We will acknowledge security researchers in our release notes (unless anonymity is requested)

• Cloudflare Workers: Serverless architecture with automatic DDoS protection
• D1 Database: SQLite-based with parameterized queries (SQL injection prevention)
• Durable Objects: Isolated quota tracking per bot with atomic operations
• Edge Network: 300+ global locations with automatic failover

• JWT tokens with secure signing (HS256)
• Bcrypt password hashing (cost factor: 10)
• User ownership validation on all protected endpoints
• Session expiration and token refresh

• Zod schema validation on all API inputs
• Discord signature verification on bot webhooks
• Rate limiting via Durable Objects (100k req/day per bot)
• IP-based account creation limits (2 per household)

• No sensitive data in logs
• Discord bot tokens stored encrypted at rest
• User passwords never stored in plain text
• HTTPS enforced for all connections

• No eval() or dynamic code execution
• Parameterized database queries only
• Content Security Policy headers
• CORS properly configured

• Regular dependency updates via Dependabot
• Automated security scanning in CI/CD
• Minimal dependency footprint
• Cloudflare's trusted infrastructure

• Cloudflare Workers analytics for anomaly detection
• Automated cleanup of inactive accounts (90-day retention)
• Quota enforcement prevents resource exhaustion
• Failed authentication monitoring

• Bot code is user-provided and runs in isolated Cloudflare Workers
• Bot developers are responsible for their own code security
• Platform provides sandboxing but cannot prevent all malicious bot behavior

• Two-factor authentication (2FA) for user accounts
• Advanced rate limiting per user (not just per bot)
• Bot code static analysis before deployment
• Security audit logging

1. Never commit secrets - Use environment variables
2. Validate all inputs - Discord interactions can be spoofed
3. Limit permissions - Only request Discord permissions you need
4. Keep dependencies updated - Regularly update your bot code
5. Monitor quota usage - Unusual spikes may indicate abuse

1. Use strong passwords - Minimum 12 characters, mixed case, numbers, symbols
2. Unique passwords - Don't reuse passwords from other services
3. Review bot activity - Check deployed bots regularly
4. Revoke unused bots - Delete bots you're no longer using

• User data minimization (only email + password hash stored)
• Right to deletion (account deletion removes all data)
• Data portability (export via API)
• Transparent data processing

• Clear privacy policy
• Opt-out mechanisms for data collection
• No sale of personal information

For security concerns that are not vulnerabilities, contact: hello@botfortress.admension.workers.dev

We do not currently offer a bug bounty program, but we deeply appreciate responsible disclosure and will acknowledge researchers in our security advisories and release notes.

Last Updated: January 23, 2026
Version: 1.0.0