[feedback] bot verification feedback

[brxxn]

Just have some feedback on the new bot verification feature. I think it's overall a pretty good idea due to the influx of Nitro/other scam bots DMing users and attempting to get added. However, I do have some suggestions and feedback I'd like to give regarding the feature:

• Add a setting to disable DMs/mentions from non-verified bots. This can prevent bot DM spam on the user's side and could overall be used to help improve security for users who don't want to receive direct messages from bots.
• Require phone/captcha verification for bot owners in order to create bots. Right now, most scam bots only use one bot to spread their scam. However, a user bot could create a bunch of accounts that create a bunch of bots. The scam bots can then DM users links to other bots that aren't in many servers, bypassing the 100 server limit by having many bots in less than 100 servers. I do understand there are spam-detection systems in place, but this feature could definitely help limit spam by design.
• Add a message to the top of non-verified (and possibly verified too) bot DMs stating it's not owned, operated by, or affiliated with Discord. This could help invalidate bots that aren't made by Discord or claim to be a partnership (such as a bot named "Twitch" stating a partnership that allows for free nitro if you click on a link). Usually bots don't request the user to type in their password right away. For example, they may ask the user to authorize their bot into a server and then use the OAuth redirect URI to lead the user to a website that looks like Discord asking for their password.
• Notify affected users with a system DM and email. Once a spam bot has been detected, all users that have been direct messaged by the fake bot should receive a system DM telling them to secure their account by changing their password and enabling MFA on their account if they did accidentally type in their password or add the bot to their server.
• Prevent verified bots from changing their name. A verified bot should be unable to change its name after verification. This could allow a bot owner to change their bot's name to impersonate Discord or another bot. Disabling changing bot names enforces that the bot does not manipulate users into thinking it's someone they say they aren't. This not only prevents the owner of a verified bot from abusing their permissions but also prevents someone who may gain access to the bot owner's account from using it for malicious purposes. This is already how it's going to work, see verification-faqs in developer server for more information.
• Add a notice to new bot modal feature. I didn't get a chance to see the prototype, but there should be a message stating that everything in the modal is being sent to the bot and a reminder to not type passwords or MFA codes into the box. This could be abused by malicious bots who are attempting to compromise user accounts.

Thanks for reading! Please let me know if you want any additional feedback or have any questions. If you'd like to add more feedback, feel free to reply.

[mr-tech]

I am fine/agree with all of the above except locking the name. I think bots should be allowed to re-brand or anything of the sort. 100 guilds, while may seem like a lot to some people now, is very early in a growing bot's life and having to lock down its identity at that point can be damaging. All systems are prone to abuse but the verification makes it much more difficult for someone to do once and even harder to repeat offend.

This could allow a bot owner to change their bot's name to impersonate Discord or another bot. Disabling changing bot names enforces that the bot does not manipulate users into thinking it's someone they say they aren't.

I believe that locking the name is a heavy-handed fix to the issue posed here. I would imagine that the verification process makes banning a realistic and effective option. Again, having to verify your identity makes it theoretically much easier for Discord to enact permanent corrective action versus what's possible now.

This not only prevents the owner of a verified bot from abusing their permissions but also prevents someone who may gain access to the bot owner's account from using it for malicious purposes.

There are better ways to lock down an account from abuse. One of my favorites that Discord wasn't too keen on was IP whitelisting the token. There's a lot of security measures that the bot developers could do to better secure their systems. It's also worth noting the question regarding security in the verification process. If the concern is "malicious use of a stolen account", the name of the bot is one of the less important concerns, especially if your talking about a lengthy attack campaign. Changing the bot's name is a loud proclamation of "you're hacked!" What's much more concerning are smaller destructive actions that are meant to fly under the radar.

[ks00908]

Regarding locking up name: maybe allow editing it but require to provide reason and someone on discord side would need to approve it, would be some middle ground between full lock and security

To add to all that one more useful feature in my opinion would be to add who owns bot on verified bots profile, what I have in mind is something like this, small popup with owner username.

[muddyfish]

Mirroring another feature request mentioned elsewhere, could bots have connections added to it for social media/github/whatever accounts?

Also a generic website for the bot that we can set would be very nice

[JMTK]

I feel like at this point with the way those Figma links showed more Discord integration, I feel like verified bots should have their own application page within Discord. It feels odd that now a bot can be verified, but they still have to go to 3rd party bot list sites or "landing pages" for bots to find out any more info on them.

[MrAugu]

Disabling certain features from unverified bots have some downsides, many servers have their own bot (1-2 server bot) which they use for support purposes and more things - and other things that involve DMs.

In context of a public bot, 100 servers is a super tiny amount of servers and at that point re-branding should still be an option. But for bots that are in more than 1k or 2.5k servers, owners should be able to contact support for changing the bot's name for re-branding or whatever - permanently taking the option for bots to change their name at all is not a great idea.

[RShyizer]

finally! We see support for the owners of the bots after a period of time and we hope that this development takes place for a longer period not for once or twice for consecutive times.

Legends developers

[pedrofracassi]

Disabling certain features from unverified bots have some downsides, many servers have their own bot (1-2 server bot) which they use for support purposes and more things - and other things that involve DMs.

That feature could be opt-in, as in it comes disabled by default. Maybe show a warning above the message when an unverified bot DMs you?

In context of a public bot, 100 servers is a super tiny amount of servers and at that point re-branding should still be an option. But for bots that are in more than 1k or 2.5k servers, owners should be able to contact support for changing the bot's name for re-branding or whatever - permanently taking the option for bots to change their name at all is not a great idea.

In my opinion, when you verify a bot, you verify its name too, so users can trust and remember it. Twitter makes it so if you're verified and you change your handle, you lose the checkmark. The option could still be avaliable with a bunch of warnings before you change it, and require re-verification afterwards.

[Greenfoot5]

I think name changes should be allowed, but perhaps a little note saying that this user used to be x? Just so people can know who it used to be. I also support the idea of requesting a name change, so then people are forced to think about if it's actually needed.

[alula]

I'd rather add an option to request a name change in dev portal.

[NurMarvin]

I'd rather add an option to request a name change in dev portal.

I think @alula's approach is by far the best option one suggested here regarding name changes, considering that disabling name changes all together could limit developers to an old "brand", even though they already moved on from certain name.

I think name changes should be allowed, but perhaps a little note saying that this user used to be x?

I don't think @Greenfoot5's approach is very good, because then you would only be able to see one past name at a time, or if their plan was to display all past names, could lead to unnecessary amounts of data in the database (not that Discord has any issues with disk space or anything), that could be avoided by having someone from Discord check over the name instead of saving all of the old names.

[brxxn]

Just gonna add that I think name changes should have to be requested and approved by Discord to prevent someone from using the verified badge to make them look like someone they're not. While it may be inconvenient, this should be implemented because the verified badge gives a higher authenticity level to the viewer and could easily mislead them into thinking this is an official bot.

Edit: Name changes aren't going to be allowed after verification according to the verification-faq channel on the Discord Developers server.

[mr-tech]

FYSA:

Once a bot is verified, its ownership cannot be transferred--either from user to user or from a user to a team. Additionally, a bot's name cannot be changed in the Developer Portal or the API after verification.

Our support team is currently building out the infrastructure to help you transfer the ownership of verified bots and change the name of verified bots where necessary. If this is something you end up needing, please contact us at https://dis.gd/contact and we'll be able to help you out.

Source: https://discord.gg/discord-developers https://discordapp.com/channels/613425648685547541/697236247739105340/697970390944841839

brxn beat me to the punch but I'll still add this to provide the direct source.

[JMTK]

I just thought of something: I usually use a second test bot token for my testing and new development. However now some of my features require privileged intents and I am unable to use those features on my test bot. I have to declare non-privileged intents when trying to use that bot but obviously features like presences(which I use), no longer work. What would be the solution to this?

Should I get my test bot verified too? Could there be a way for a "test mode" for a token in the future?

[advaith1]

@JMTK you can just enable the switches for the privileged intents in the dev portal

[JMTK]

Gotcha, I think I misunderstood the limitation for verification. Thanks!

[Andre601]

Notify affected users with a system DM and email. Once a spam bot has been detected, all users that have been direct messaged by the fake bot should receive a system DM telling them to secure their account by changing their password and enabling MFA on their account if they did accidentally type in their password or add the bot to their server.

I personally see some inconvenience (mainly on the side of Discord and their API) with this. When a bot, that f.e. would be on 50+ Servers DMs hundreds, if not thousands of users, would Discord require to find every single one of those DMed Members, maybe filter out other bots as they can't really interact with links and similar in such a way, and then send a DM to each of those individual Member (or the E-Mail). This seems like not a good way.

In addition, would I like to suggest an idea towards this entire verified dev thing, which is to display the verified bot(s) a user has when clicking on the Verified Bot Developer Badge, instead of linking to the blog post. That way could you see (and perhaps even invite?) the bot, without risking to invite a faker. You could still link the blog post in that page/embed(-like) with a "Find out more" text/button or whatever, but I think the bot dev deserves to get known for what bots he received that badge.

[night]

Thanks for the feedback. We do have plans to feed the concept of non-verified vs verified bots into our anti-abuse platform as it spins up, which is our optimal approach for dealing with these scam/spam bots. In an ideal world we're looking to stop these without introducing additional complexity into our products just for these kinds of bots.