Security Disclosure Policy

Effective Date: June 12, 2025

At Character Tavern, the security of our platform and the trust of our community are of paramount importance. We are committed to ensuring our systems are secure and we value the contributions of security researchers and our community members in helping us maintain a safe environment. This policy outlines how to report security vulnerabilities to us and what you can expect in return.

This document is aimed at security researchers and users who wish to report a security vulnerability. We encourage you to read this policy in its entirety before conducting any research and to report any discovered vulnerabilities in accordance with these guidelines.

Our Commitment

  • Acknowledge receipt of your report in a timely manner.
  • Conduct a thorough investigation of all reported vulnerabilities.
  • Keep you informed of our progress as we work to resolve the issue.
  • Not take legal action against you for your good-faith efforts to report vulnerabilities in accordance with this policy.
  • Recognize your contribution to the security of our platform, with your permission.

Scope

This policy applies to all digital assets owned and operated by Character Tavern, including:

  • The Character Tavern website: character-tavern.com and its subdomains.
  • Publicly accessible APIs provided by Character Tavern.

Out of Scope:

  • Third-party services or applications that integrate with Character Tavern.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
  • Spamming or other forms of resource-exhaustion attacks.
  • Social engineering (e.g., phishing, vishing) of our staff or users.
  • Physical attacks against Character Tavern infrastructure.

How to Report a Vulnerability

To report a security vulnerability, please open a ticket in our official Discord server and ping Sal directly. This is the primary and preferred method for reporting security issues.

  1. Join our Discord Server: https://link.character-tavern.com/discord
  2. Open a Ticket: Navigate to the designated channel for support or reporting and create a new ticket. Please indicate that you are reporting a security vulnerability.

If you cannot access Discord or believe the issue is extremely sensitive, contact Sal directly at selaubeurre on Discord.

What to Include in Your Report

  • A clear and concise description of the vulnerability.
  • The location of the vulnerability (e.g., the specific URL or API endpoint).
  • Step-by-step instructions to reproduce the vulnerability.
  • The potential impact of the vulnerability.
  • Your name or alias for recognition purposes (optional).

What to Expect After Reporting

  1. Acknowledgment: We will acknowledge receipt within 3 business days.
  2. Triage: We’ll review and validate the issue. Additional info may be requested.
  3. Remediation: If confirmed, we’ll develop and deploy a fix with a resolution timeline.
  4. Notification of Fix: You’ll be informed when the issue is resolved.
  5. Recognition: With your permission, we’ll credit your contribution publicly.

Safe Harbor

We consider good faith vulnerability disclosure under this policy to be authorized. We will not pursue legal action provided you follow responsible guidelines. Please do not exfiltrate, misuse, or disclose any user data. Avoid disruptions, privacy violations, or system degradation.

Recognition

We value the work of security researchers. For valid submissions, we offer optional public credit under your chosen name or alias. If you'd prefer to stay anonymous, we will fully respect that choice.

Thank you for helping keep Character Tavern secure.