Kanin's BotBase
HomeStatusDocs

Security

Vulnerability Disclosure Policy

Last updated: May 31, 2026

Overview

The security of BotBase and the privacy of its users are important to us. If you discover a security vulnerability in any of our systems, we encourage you to report it responsibly. We are committed to working with the security community to investigate and resolve valid reports promptly.

This page describes our Vulnerability Disclosure Policy (VDP). It outlines the scope of what is covered, how to report, what to expect from us, and what we expect from you.

Scope

The following systems are in scope for vulnerability reports:

  • The BotBase dashboard web application
  • The BotBase REST API (served at the same domain under /api/)
  • The BotBase Discord bot

The following are out of scope:

  • Vulnerabilities in Discord itself - report those to Discord at discord.com/security
  • Denial-of-service attacks (rate limiting is expected to prevent them, but active attacks are not a research topic we invite)
  • Social engineering attacks targeting our team members
  • Physical security attacks
  • Spam or bulk messaging via the bot

How to Report

Contact the service operator to report security vulnerabilities. Please do not report them through public channels.

What to Include

To help us triage and resolve your report quickly, please include:

  • A clear description of the vulnerability and the potential impact
  • The affected URL, endpoint, or component
  • Step-by-step reproduction instructions
  • Proof-of-concept code or screenshots where applicable
  • Your Discord username or email if you would like credit in our acknowledgements

What to Expect From Us

After you submit a report, here is our commitment to you:

MilestoneTarget timeline
Initial acknowledgementWithin 3 business days
Vulnerability confirmed or rejectedWithin 14 days of acknowledgement
Fix deployed and reporter notifiedWithin 90 days of initial report

We will keep you informed of our progress. If we need more time due to complexity, we will let you know and agree on an extended timeline before any public disclosure.

Safe Harbor

If you act in good faith and in compliance with this policy, we will not pursue legal action against you in connection with your research. Specifically, we consider good-faith security research to include:

  • Only testing against systems you own or have explicit authorisation to test, or using accounts you control
  • Avoiding access to, modification of, or exfiltration of data belonging to other users
  • Not disrupting or degrading the Service or its users
  • Notifying us promptly and giving us reasonable time to fix before any public disclosure
  • Not exploiting the vulnerability beyond what is necessary to demonstrate its existence

This safe harbor does not apply to vulnerabilities discovered through testing against other users' accounts, automated scanning tools that impact availability, or physical attacks.

Bug Bounty

At this time, we do not offer a monetary bug bounty program. However, we sincerely appreciate security researchers who help make BotBase safer. Valid, in-scope reporters will receive:

  • Public acknowledgement in our security hall of fame (with your permission)
  • Our sincere thanks

Contact

For security reports or general enquiries, contact the service operator.