If you believe you've found a security vulnerability in this project, please report it privately. Do not open a public GitHub issue for security reports — public issues may expose users before a fix is available.
Send vulnerability reports to: support@girlsnetwork.dev
You may also use GitHub's private vulnerability reporting by going to the Security tab of the repository and clicking Report a vulnerability.
A good report typically contains:
- A clear description of the vulnerability and the impact
- Steps to reproduce, or a proof-of-concept
- The affected file(s), command(s), or version(s) where applicable
- Any suggested mitigation, if you have one in mind
- Whether you'd like to be credited in the eventual advisory (and if so, how)
You don't need every item — give us what you have. We'll follow up if we need more.
We aim to respond on the following schedule:
| Stage | Target window |
|---|---|
| Initial acknowledgement | within 72 hours |
| Triage and severity assessment | within 7 days |
| Fix or mitigation in place | within 30 days* |
| Public disclosure / advisory | after a fix is shipped |
*Complex issues may take longer; we'll keep you informed if so.
The following are in scope for this policy:
- The bot's source code in this repository (
src/**) - The deployment artefacts (Dockerfile, GitHub Actions workflows)
- The way the bot handles Discord tokens, environment variables, and any persisted user data
- Any HTTP endpoints, IPC channels, or other surfaces the bot exposes at runtime
The following are out of scope:
- Vulnerabilities in third-party services or libraries we depend on (Discord API, npm packages, etc.) — please report those upstream
- Issues that require an attacker to already have administrative access to the host running the bot
- Denial-of-service requiring unrealistic resources
- Self-XSS or social engineering attacks
- Reports generated by automated scanners without a working proof-of-concept
Only the latest version on the main branch receives security updates. Forks and older releases are not supported by us — if you operate one, you are responsible for backporting fixes.
We appreciate responsible disclosure and commit to:
- Acknowledging your report promptly
- Keeping you updated on our progress
- Crediting you in the advisory if you wish
- Not pursuing legal action against good-faith researchers who follow this policy