The security of Pegasus Discord Bot is a top priority. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | β |
| 0.x.x | β |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them through one of these channels:
- Email: Send details to security@cptcr.dev
- Discord: DM a project maintainer on our support server
- GitHub Security Advisories: Create a security advisory
Please include the following information to help us triage your report quickly:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- Initial Response: Within 48 hours
- Triage & Analysis: Within 7 days
- Fix Development: Depends on severity (Critical: 24-48h, High: 7 days, Medium: 14 days, Low: 30 days)
- Public Disclosure: After fix is released and users have had time to update
When using Pegasus, please follow these security best practices:
- Never commit your bot token to version control
- Use environment variables for sensitive configuration
- Rotate your token immediately if exposed
- Use different tokens for development and production
- Use strong passwords for your PostgreSQL database
- Restrict database access to only necessary hosts
- Enable SSL/TLS for database connections in production
- Regular backups of your database
- Keep PostgreSQL updated with security patches
- Principle of Least Privilege: Only grant the bot permissions it needs
- Regular Audits: Review bot permissions periodically
- Role Hierarchy: Ensure the bot's role is positioned correctly
- Command Permissions: Use Discord's built-in command permissions
# Good - Using environment variables
DISCORD_TOKEN=your_token_here
DATABASE_URL=postgresql://user:pass@localhost/db
# Bad - Hardcoding in source files
const token = "MTE2MzU4..." // Never do this!- Use HTTPS for any web interfaces or APIs
- Keep dependencies updated regularly
- Use a process manager like PM2 with proper restart policies
- Implement rate limiting to prevent abuse
- Monitor logs for suspicious activity
- Use a firewall to restrict unnecessary ports
Pegasus includes several built-in security features:
- All user inputs are validated and sanitized
- SQL injection protection through parameterized queries
- Command injection prevention
- Built-in rate limiting for commands
- Configurable cooldowns
- Anti-spam measures
- Comprehensive audit logs for moderation actions
- User action tracking
- Security event logging
- Role-based access control
- Permission verification for all commands
- Hierarchical permission system
We would like to thank the following individuals for responsibly disclosing security issues:
- Your name could be here!
- Security Email: security@cptcr.dev
- Developer: cptcr.dev
- Support Server: discord.gg/vaultscope
We kindly ask you to:
- Give us reasonable time to fix the issue before public disclosure
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Not access or modify other users' data without explicit permission
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Pegasus and its users safe! π‘οΈ