Return Home
Guardiobot Logo Guardiobot Technologies

Security Policy

Last Updated: November 20, 2025

Protecting Your Data and Our Service

Table of Contents

1. Introduction

Security is a core priority at GuardioBot. This Security Policy outlines our approach to protecting the Service, our users' data, and the communities we serve. It also provides information on how to report security vulnerabilities and how we respond to security incidents.

GuardioBot is operated as an individual project. "GuardioBot Technologies" is a trade name used to describe the Service and does not constitute a legal business entity.

We are committed to:

  • Protecting user data and privacy
  • Maintaining the security and integrity of our Service
  • Responding promptly to security issues
  • Being transparent about our security practices
  • Continuously improving our security posture

2. Our Security Approach

2.1 Security Principles

Our security approach is built on the following principles:

  • Defense in Depth: Multiple layers of security controls to protect against various threats
  • Least Privilege: Granting the minimum level of access necessary to perform functions
  • Security by Design: Incorporating security considerations from the earliest stages of development
  • Continuous Monitoring: Ongoing monitoring and logging of system activities
  • Incident Preparedness: Maintaining plans and procedures for responding to security incidents
  • Transparency: Being open about our security practices and incidents when appropriate

2.2 Security Measures

We implement comprehensive security measures including:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using industry-standard encryption algorithms (AES-256)
  • Authentication: Strong authentication mechanisms including secure token-based authentication for API access
  • Access Controls: Role-based access control (RBAC) to limit access to systems and data
  • Logging and Monitoring: Comprehensive logging of system events, access attempts, and security-relevant activities
  • Vulnerability Management: Regular security assessments, vulnerability scanning, and penetration testing
  • Security Updates: Timely application of security patches and updates to all systems and dependencies
  • Secure Development: Following secure coding practices and conducting code reviews
  • Input Validation: Strict validation and sanitization of all user inputs to prevent injection attacks

2.3 Data Protection

We protect user data through:

  • Data Minimization: Collecting only the data necessary to provide the Service
  • Secure Storage: Storing data in secure, access-controlled databases with encryption
  • Data Segregation: Logically separating data between different customers and communities
  • Backup and Recovery: Regular encrypted backups stored securely with tested recovery procedures
  • Data Retention: Implementing data retention policies and secure deletion procedures
  • Privacy Controls: Providing users with control over their data in accordance with our Privacy Policy

3. Infrastructure Security

3.1 Network Security

Our network security measures include:

  • Firewalls and network segmentation to isolate critical systems
  • DDoS protection and rate limiting to prevent service disruption
  • Intrusion detection and prevention systems (IDS/IPS)
  • Network traffic monitoring and analysis
  • Regular network security assessments
  • Secure VPN access for administrative functions

3.2 Application Security

We secure our applications through:

  • Secure coding practices following OWASP guidelines
  • Regular code reviews and security testing
  • Static and dynamic application security testing (SAST/DAST)
  • Protection against common vulnerabilities (SQL injection, XSS, CSRF, etc.)
  • API security including authentication, authorization, and rate limiting
  • Dependency management and vulnerability scanning of third-party libraries
  • Container security for containerized applications

3.3 Access Controls

Access to systems and data is controlled through:

  • Multi-factor authentication (MFA) for administrative access
  • Role-based access control (RBAC) with least privilege principles
  • Regular access reviews and audits
  • Immediate revocation of access upon termination or role change
  • Secure credential management and rotation
  • Session management with automatic timeouts
  • Audit logging of all access and privileged operations

4. Vulnerability Disclosure Program

We welcome and encourage responsible disclosure of security vulnerabilities. This program provides a clear process for security researchers to report vulnerabilities safely and responsibly.

4.1 Scope

This vulnerability disclosure program covers:

  • GuardioBot Discord bot and its functionality
  • GuardioBot Roblox bot and its functionality
  • GuardioBot website (guardiobot.org and subdomains)
  • GuardioBot API endpoints
  • GuardioBot infrastructure (to the extent discoverable through authorized testing)

4.2 How to Report

To report a security vulnerability:

  • Email: Send a detailed report to security@guardiobot.org
  • Encryption: For sensitive reports, you may encrypt your message using our PGP key (available upon request)
  • Subject Line: Use the subject line format: "SECURITY: [Brief Description]"

Do NOT:

  • Disclose the vulnerability publicly before we have had a chance to address it
  • Report vulnerabilities through public channels (GitHub issues, social media, etc.)
  • Test vulnerabilities on production systems without authorization

4.3 What to Include

Please include the following information in your report:

  • Description: Clear description of the vulnerability and its potential impact
  • Steps to Reproduce: Detailed steps to reproduce the vulnerability
  • Proof of Concept: Code, screenshots, or other evidence demonstrating the vulnerability
  • Affected Systems: Specific systems, endpoints, or components affected
  • Severity Assessment: Your assessment of the severity (Critical, High, Medium, Low)
  • Recommendations: Suggested remediation steps (optional but appreciated)
  • Your Information: Name, contact email, and (optionally) how you'd like to be credited

4.4 Response Timeline

We commit to the following response timeline:

  • Initial Response: Within 48 hours of receiving your report, we will acknowledge receipt
  • Status Update: Within 7 days, we will provide an initial assessment and expected timeline
  • Resolution: We aim to resolve critical vulnerabilities within 30 days, high severity within 60 days, and medium/low severity within 90 days
  • Disclosure: We will work with you on a coordinated disclosure timeline, typically 90 days after resolution

4.5 Safe Harbor

If you comply with this policy during security research, we commit to:

  • Not pursue or support legal action related to your research
  • Work with you to understand and resolve the issue quickly
  • Recognize your contribution (with your permission) on our security acknowledgments page

SAFE HARBOR PROTECTION APPLIES ONLY TO RESEARCH CONDUCTED IN GOOD FAITH AND IN ACCORDANCE WITH THIS POLICY. ACTIVITIES THAT VIOLATE LAWS, DAMAGE SYSTEMS, ACCESS OR EXFILTRATE USER DATA, OR DISRUPT THE SERVICE ARE NOT COVERED.

5. Responsible Disclosure Guidelines

5.1 Do's

When conducting security research, please:

  • ✅ Use test accounts and test servers whenever possible
  • ✅ Minimize your impact on production systems and user data
  • ✅ Report vulnerabilities as soon as you discover them
  • ✅ Provide detailed information to help us reproduce and fix the issue
  • ✅ Give us reasonable time to address the vulnerability before disclosure
  • ✅ Delete any data you may have accessed during testing
  • ✅ Respect user privacy and data protection laws
  • ✅ Follow our coordinated disclosure timeline

5.2 Don'ts

The following activities are prohibited:

  • ❌ Do not access, modify, or delete user data without explicit authorization
  • ❌ Do not perform denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • ❌ Do not exploit vulnerabilities for personal gain or to harm others
  • ❌ Do not disclose vulnerabilities publicly before coordinated disclosure
  • ❌ Do not spam or flood systems with requests
  • ❌ Do not use social engineering, phishing, or physical attacks
  • ❌ Do not test third-party services or platforms (Discord, Roblox) - report those directly to them
  • ❌ Do not use automated scanners without prior authorization
  • ❌ Do not demand payment or compensation for reporting vulnerabilities

6. Out of Scope

The following are explicitly out of scope for our vulnerability disclosure program:

  • Third-Party Services: Vulnerabilities in Discord, Roblox, or other third-party platforms (report directly to them)
  • Social Engineering: Attacks involving deception, manipulation, or physical security
  • Denial of Service: Attacks designed to disrupt service availability
  • Spam/Abuse: Spam, content manipulation, or policy violations
  • User-Generated Content: Issues with content created by users or communities
  • Known Issues: Vulnerabilities we have already identified and are working to fix
  • Low-Impact Issues: Issues with minimal or no security impact (e.g., missing security headers on non-sensitive pages, self-XSS, clickjacking on non-sensitive pages)
  • Physical Security: Physical access to our facilities or equipment

7. Incident Response

We maintain a comprehensive incident response plan to quickly detect, contain, and recover from security incidents.

7.1 Detection and Analysis

We detect security incidents through:

  • Automated monitoring and alerting systems
  • Security information and event management (SIEM)
  • User reports and vulnerability disclosures
  • Threat intelligence feeds
  • Regular security assessments and audits

Upon detection, we immediately:

  • Assess the severity and scope of the incident
  • Determine affected systems and data
  • Activate the incident response team
  • Begin detailed forensic analysis

7.2 Containment

To contain security incidents, we:

  • Isolate affected systems to prevent spread
  • Implement temporary security controls
  • Preserve evidence for analysis
  • Block malicious activity
  • Implement additional monitoring

7.3 Eradication and Recovery

After containment, we:

  • Remove malicious code, unauthorized access, or vulnerabilities
  • Patch systems and update security controls
  • Reset compromised credentials
  • Restore systems from clean backups if necessary
  • Verify that systems are secure before restoration
  • Monitor for signs of persistent threats

7.4 Notification

We will notify affected parties in accordance with:

  • Applicable data breach notification laws (GDPR, CCPA, etc.)
  • Our contractual obligations
  • Best practices for transparency

Notifications will include:

  • Nature of the incident and data affected
  • Steps we have taken to address the incident
  • Recommended actions for affected users
  • Contact information for questions

7.5 Post-Incident Review

After resolution, we conduct a thorough post-incident review to:

  • Document the incident timeline and response actions
  • Identify root causes and contributing factors
  • Assess the effectiveness of our response
  • Implement improvements to prevent recurrence
  • Update security controls, policies, and procedures
  • Share lessons learned (while protecting sensitive information)

8. Security Best Practices for Users

8.1 Account Security

Protect your Discord and Roblox accounts:

  • Enable two-factor authentication (2FA) on your Discord and Roblox accounts
  • Use strong, unique passwords for each platform
  • Never share your account credentials
  • Be cautious of phishing attempts and suspicious links
  • Keep your email account secure
  • Regularly review account activity and authorized applications

8.2 Bot Configuration

Securely configure GuardioBot:

  • Grant only the necessary permissions required for functionality
  • Regularly review and audit bot permissions
  • Restrict administrative commands to trusted roles
  • Configure moderation settings appropriate to your community
  • Keep your server's moderation logs private
  • Regularly update your server rules and moderation settings

8.3 Permissions Management

Manage permissions carefully:

  • Follow the principle of least privilege for all roles
  • Regularly audit who has administrative access
  • Remove permissions from inactive or departed moderators
  • Use role hierarchies to prevent privilege escalation
  • Protect sensitive channels with appropriate permissions
  • Document your permission structure

9. Security Updates and Patches

We maintain a proactive approach to security updates:

  • Dependency Management: Regularly update all dependencies and libraries
  • Vulnerability Scanning: Automated scanning for known vulnerabilities in dependencies
  • Patch Management: Rapid deployment of security patches for critical vulnerabilities
  • Update Schedule: Regular updates for non-critical improvements
  • Emergency Patches: Immediate deployment for critical security issues
  • Testing: Thorough testing of updates before deployment

Critical Security Updates: For critical vulnerabilities, we may deploy emergency patches with minimal notice. We will communicate these updates through:

  • Discord announcements
  • Email notifications (if available)
  • Website security bulletin

10. Third-Party Security

We carefully manage third-party security:

  • Vendor Assessment: Evaluating security practices of third-party service providers
  • Data Processing Agreements: Contractual security requirements for data processors
  • Monitoring: Ongoing monitoring of third-party security posture
  • Incident Coordination: Coordinated response to incidents involving third parties
  • Platform Compliance: Adherence to Discord and Roblox security requirements

Third-Party Services We Use:

  • Cloud hosting providers (with encryption at rest and in transit)
  • Database services (with access controls and encryption)
  • Monitoring and logging services (with data retention policies)

11. Compliance and Certifications

We are committed to maintaining compliance with applicable security and privacy standards:

  • GDPR: General Data Protection Regulation compliance for EU users
  • CCPA: California Consumer Privacy Act compliance
  • OWASP: Following OWASP Top 10 security practices
  • Platform Compliance: Adherence to Discord and Roblox security requirements

Security Assessments: We conduct regular security assessments including:

  • Internal security audits
  • Vulnerability assessments
  • Code security reviews
  • Penetration testing (periodic)

12. Contact Information

For security-related matters:

GuardioBot Security Team

Security Issues: security@guardiobot.org

Vulnerability Reports: security@guardiobot.org

Security Incidents: security@guardiobot.org

Privacy/Data Security: privacy@guardiobot.org

General Support: support@guardiobot.org

Website: https://guardiobot.org

Response Times:

  • Critical security issues: Within 24 hours
  • Vulnerability reports: Within 48 hours (acknowledgment)
  • General security inquiries: Within 5 business days

FOR URGENT SECURITY INCIDENTS REQUIRING IMMEDIATE ATTENTION, PLEASE MARK YOUR EMAIL SUBJECT AS "URGENT SECURITY INCIDENT" AND WE WILL PRIORITIZE YOUR REPORT.

SECURITY IS A SHARED RESPONSIBILITY

1. We are committed to protecting the Service and your data.
2. We welcome responsible disclosure of security vulnerabilities.
3. We respond promptly to security incidents and reports.
4. We continuously improve our security practices.
5. Users play a vital role in maintaining security through best practices.
6. Together, we build a more secure platform for everyone.

THANK YOU FOR HELPING US KEEP GUARDIOBOT SECURE.