• Discord OAuth2 with PKCE flow
• Client secret stored in compiled Rust binary
• Tokens stored locally with secure storage
• Guild verification for access control

• No sensitive data transmitted to third parties
• Local storage encryption for tokens
• Session-based cache invalidation
• Automatic token refresh mechanism

• HTTPS-only API communications
• Rate limiting protection
• Request timeout configurations
• Retry mechanisms with exponential backoff

• .env - Environment variables
• discord.config.ts - Discord credentials
• *.secret - Secret files
• *.secrets.json - Secret JSON files

• .env.example - Template without values
• Source code with placeholder values
• Configuration templates

If you discover a security vulnerability:

1. Do NOT open a public issue
2. Email: [your-security-email]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

• Initial response: 48 hours
• Status update: 7 days
• Resolution target: 30 days

1. Never commit credentials or secrets
2. Use environment variables for sensitive data
3. Review code for hardcoded values before PR
4. Keep dependencies updated
5. Follow secure coding guidelines

We appreciate responsible disclosure and will acknowledge security researchers who help improve Wildflover's security.