Security Policy

Last updated: January 2026

Reporting a Vulnerability

The security of Achievements and its associated services is very important to us. If you discover a security vulnerability, we appreciate your help in reporting it responsibly.

How to Report

Please report security issues by email:

📧 [email protected].

Include as much detail as possible:

  • A clear description of the issue
  • Steps to reproduce (if applicable)
  • Affected URLs, endpoints, or features
  • Any relevant logs, screenshots, or proof of concept

We aim to acknowledge reports within 48 hours and will provide updates as the issue is reviewed.

Scope

This policy applies to:

  • https://achievements.bot
  • All subdomains of achievements.bot
  • The Achievements Discord bot and its backend services
  • Public APIs and dashboards operated by Achievements

Issues outside this scope may not be eligible for review.

Out of Scope

The following are not considered security vulnerabilities:

  • Spam, rate-limit issues without security impact
  • Social engineering or phishing attacks
  • Denial-of-service attacks (DDoS)
  • Vulnerabilities in third-party services (Discord, Cloudflare, hosting providers)
  • Reports without sufficient technical detail

Responsible Disclosure

We ask that you:

  • Do not publicly disclose the vulnerability before it is fixed
  • Do not exploit or misuse user data
  • Give us reasonable time to investigate and resolve the issue

We commit to:

  • Treat reports seriously and respectfully
  • Fix confirmed vulnerabilities in a timely manner
  • Credit reporters where appropriate (if desired)

Automated Scanning

Automated security scans are allowed at reasonable rates. Aggressive scanning, brute-force attempts, or exploitation will be blocked.

Legal Safe Harbor

If you follow this policy in good faith, we will not pursue legal action against you for your research.

Thank You ❤️

We appreciate the efforts of security researchers and community members who help keep Achievements safe for everyone.