Discord is under fire from developers and the community after allegedly mishandling a vulnerability disclosure involving the popular no-code bot creation platform, Bot Ghost. The controversy began when a YouTuber highlighted a critical flaw in Bot Ghost that exposed Discord bot tokens, enabling attackers to hijack bots and potentially harm servers. However, Discord’s subsequent actions toward Bot Ghost have raised serious concerns about fairness, transparency, and the company’s treatment of smaller developers.
Vulnerability Discovery Sparks a Chain Reaction
The issue surfaced when a video detailed how Bot Ghost users’ bot tokens could be extracted and abused. This flaw affected potentially thousands of bots created through the platform, which allows users to build custom bots using simple drag-and-drop blocks without coding knowledge. The video quickly gained traction, and shortly thereafter, Discord contacted Bot Ghost’s owner, Tom, with an urgent list of 18 technical questions and a tight deadline — just 16 hours over a weekend — to respond or face removal from the platform.
Many criticized the timeline as unreasonable, given the complexity of the requested information and the timing of the notice. “It genuinely feels like Discord was setting up Bot Ghost to fail,” the creator of the original video stated.
Policy Enforcement or Selective Punishment?
Discord followed up with a second email threatening to shut down Bot Ghost entirely, citing violations of developer policy, specifically the prohibition against collecting user credentials, including bot tokens. However, critics argue that Bot Ghost’s model inherently requires users to supply their own bot tokens in order to function — a practice Discord had previously tolerated for over seven years.
The controversy deepened when leaked internal messages from Discord employees suggested that the real motivation for the crackdown was risk minimization after two vulnerabilities were disclosed in quick succession. According to the leaks, Discord sought to eliminate the risk by forcing Bot Ghost to remove token-based functionality, effectively making the platform non-viable. Meanwhile, other large bots like MEE6, which similarly collect tokens for premium features, have reportedly continued without similar threats.
“Impossible” Demands and Inconsistent Standards
In response to Discord’s request, Bot Ghost submitted a comprehensive list of application IDs for all bots created on its platform, only for Discord to dismiss the list as inaccurate without providing specifics. Developers have described this as an “impossible quiz,” designed more to drain resources and meet a predetermined deadline than to resolve issues collaboratively.
Adding to frustrations, Discord was also accused of turning a blind eye to similar policy violations by high-profile partners, such as MidJourney, which allegedly used Discord-collected emails for marketing communications without explicit user consent.
A Dangerous Precedent for Developers
This handling of Bot Ghost has sparked concern among other bot developers. The message many see is clear: reporting vulnerabilities or cooperating in good faith with Discord can still result in severe punishment, discouraging responsible disclosure and harming trust in the platform. As the original video creator put it, “If you snitch on yourself or try doing the right thing like Bot Ghost, you will get punished.”
Bot Ghost is reportedly working to reset tokens for inactive bots and explore alternative implementations, but the time pressure and Discord’s inconsistent communication have left its future uncertain.
Community Calls for Transparency
The incident has ignited a broader conversation about Discord’s developer relations and the need for clear, consistent, and fair enforcement of policies. Many argue that while addressing security flaws is essential, the way Discord has handled Bot Ghost risks alienating smaller developers who contribute significantly to the platform’s ecosystem.
For now, developers and users alike will be watching closely to see whether Discord chooses to course-correct — or double down on a path that many feel undermines trust and transparency.
