We take security seriously. If you discover a security vulnerability within Sakura Bot, please report it responsibly.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them by:

1. Opening a private security advisory on GitHub
2. Or opening a GitHub Issue with the security label

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any possible mitigations you've identified

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution: Depends on severity, but critical issues will be prioritized

• Never commit your .env file or API tokens to version control
• Keep your dependencies updated (npm audit)
• Use the latest version of Node.js (18+)
• Restrict your bot's permissions to only what's needed
• Monitor your Groq API usage for unexpected spikes
• Consider using Cloudflare D1 for persistent storage instead of local files

• Sakura stores conversation history in RAM (max 16 messages per channel)
• User profiles are stored in RAM and optionally in Cloudflare D1
• No user data is sent to third-party services beyond Groq AI and Jikan API
• NSFW filtering is pattern-based and may not catch all inappropriate content
• The bot token must be kept secret at all times

We appreciate responsible disclosure and will credit security researchers who help us improve Sakura's security. Thank you for helping keep Sakura and our community safe!