We take security issues seriously, especially anything involving authentication, Discord access, payment flows, webhook integrity, or entitlement escalation.
Security fixes are targeted at the current main branch.
Please do not report security issues in public GitHub issues.
Instead, report them privately by emailing:
basic@basicbit.net
If GitHub private vulnerability reporting is enabled for this repository, you may use that path as well.
When possible, include:
- a clear description of the issue
- affected area or file paths
- reproduction steps or proof of concept
- impact assessment
- any suggested remediation
We aim to:
- acknowledge reports within 5 business days
- investigate and validate the issue
- coordinate a fix and disclosure timeline with the reporter when appropriate
Examples of issues we want reported privately:
- authentication or session bypass
- Discord role or entitlement escalation
- OAuth token exposure or improper storage
- webhook signature verification flaws
- payment flow vulnerabilities
- secret leakage
Thank you for helping keep Perkcord and its users safe.