Security Policy

1. Our Approach to Security

Guardiobot is built with security as a core design principle. We apply defence in depth — multiple independent controls at each layer — so that no single failure exposes the system or its users.

All processing runs on self-hosted infrastructure. No personal data is stored in external cloud databases. External communication is limited to specific third-party safety APIs and payment processing, all over encrypted connections.

2. Data Protection Measures

• Passwords are hashed using a strong, memory-hard algorithm meeting current OWASP recommendations. Legacy hashes are transparently upgraded on next login.
• Sensitive identifiers — including reporter identities, moderation reasons, and certain user identifiers — are cryptographically hashed at write time and are never stored in plaintext.
• Third-party API keys provided by subscribers are stored using authenticated encryption and are never logged or transmitted outside their intended use.
• All connections to and from the Service are encrypted in transit.

3. Authentication and Access Control

• Volunteer access requires both a password and a time-limited code delivered to a registered email address (two-factor authentication)
• Server owner access uses OAuth2 via Discord with server-side state validation
• Session tokens are short-lived, httpOnly, and scoped to prevent cross-site use
• Volunteer permissions are verified from the database on every request — the session token alone is never sufficient for permission decisions
• Authentication endpoints are rate-limited to prevent brute-force attacks
• Developer API keys are stored as hashes only — the raw key is shown once at creation and cannot be recovered

4. Infrastructure Security

• No service component is directly accessible from the internet — all public access is routed through Cloudflare, which provides DDoS protection, WAF filtering, and TLS termination
• The database is accessible only from within the local system
• All SQL queries use parameterised statements — string-interpolated queries are not used anywhere in the codebase
• Security headers (including Content Security Policy) are applied to all web-facing services
• Stripe webhook requests are verified using Stripe's signature scheme before any processing occurs
• All secrets are stored in environment variables and are never committed to version control

5. Vulnerability Disclosure

We operate a responsible disclosure policy. If you discover a security vulnerability in the Guardiobot platform, website, or API, please report it to us privately before making any public disclosure.

To report a vulnerability: email dev@guardiobot.org with a clear description of the issue, steps to reproduce, and your assessment of the potential impact.

We ask that you:

• Give us at least 30 days to investigate and remediate before any public disclosure
• Limit testing to what is necessary to demonstrate the vulnerability — do not access, modify, or exfiltrate other users' data
• Do not disrupt service availability or affect other users

We will acknowledge receipt within 5 business days. We do not currently operate a bug bounty programme, but we will credit researchers who report valid vulnerabilities if they wish to be credited.

6. Incident Response

In the event of a confirmed data breach affecting personal data:

• We will notify the Information Commissioner's Office (ICO) within 72 hours where required by UK GDPR
• We will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• We will document the breach, its cause, the data affected, and the steps taken to remediate it

7. Contact