Skip to main content

Security Policy

Responsible disclosure & operational security

About this project

discord-webhook.com is an independent open project. It is not affiliated with, associated with, authorized by, endorsed by, or in any way officially connected with Discord Inc. The Service is a browser-based tool that helps users compose and send messages to Discord channels using webhook URLs or bot tokens that the users themselves provide. The Service does not request, store, or transmit Discord account passwords. Authentication is performed exclusively through the official Discord OAuth2 flow with the standard identify and guilds scopes.

Operational security

  • • User-supplied webhook URLs and bot tokens are encrypted at rest using AES-256-GCM.
  • • All traffic is served over HTTPS with a certificate issued by a publicly trusted CA (Google Trust Services).
  • • Sessions use httpOnly, secure, SameSite cookies.
  • • Rate limiting is enforced on all sensitive endpoints (auth, send, upload).
  • • Dependencies are continuously monitored (Dependabot) and a CI gate runs gitleaks on every commit.

Reporting a vulnerability

If you believe you have found a security issue, please report it privately. Please do not file public issues for security reports.

Preferred channel: the Discord community — open a private message to a staff member tagged as staff / admin.

We acknowledge reports within 72 hours and will work in good faith to remediate confirmed issues. Researchers acting in good faith and respecting the scope below will not be subject to legal action.

Scope

In scope

  • discord-webhook.com and its subdomains we operate.
  • • Server-side authentication, authorization, and data-handling logic.
  • • Cross-site scripting, CSRF, SSRF, IDOR, RCE, and similar classes of issues.

Out of scope

  • • Discord, Inc. infrastructure (discord.com, discordapp.com) — report to Discord directly.
  • • Third-party services and CDN edge nodes.
  • • Reports based solely on automated scanner output without a working proof-of-concept.
  • • Self-XSS, missing best-practice headers without measurable impact, social-engineering, denial-of-service via volumetric attacks.

security.txt

A machine-readable policy is available at /.well-known/security.txt per RFC 9116.