đ Our Security Commitments
TLS 1.3 Encryption
SHA-256 Password Hashing
AES-256 Data Encryption
JWT Authentication
24/7 Intrusion Monitoring
Regular Security Audits
GDPR & CCPA Compliant
đĄī¸ Data Protection
đ Encryption in Transit
All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest and most secure transport layer security protocol.
đž Encryption at Rest
All stored data, including account information and transaction history, is encrypted using AES-256 encryption on our servers.
đ Password Security
Passwords are hashed client-side using SHA-256 before leaving your browser. We never receive or store your plaintext password.
đĢ Zero localStorage Credentials
We never store credentials in browser localStorage. Only encrypted session tokens are saved, which expire after 24 hours of inactivity.
Client-Side Security Architecture
Your sensitive data is processed in your browser before transmission:
- Password Hashing: Passwords are hashed using the Web Crypto API (SHA-256) in your browser before being sent to our servers
- No Plaintext Storage: Credentials are never stored in cookies, localStorage, or sessionStorage
- Session Tokens: Encrypted JWT tokens are used for authentication, with automatic expiration
- HTTPS Everywhere: All requests use HTTPS to prevent man-in-the-middle attacks
đ Account Security
Password Requirements
To ensure account security, we enforce strong password policies:
- Minimum 10 characters in length
- Must not be a commonly used password (checked against breach databases)
- Should include a mix of uppercase, lowercase, numbers, and symbols (recommended)
- Cannot be reused from previous passwords (if changed)
â ī¸ Password Security Best Practices
- Never reuse passwords from other services
- Use a password manager to generate and store unique passwords
- Enable two-factor authentication when available (coming soon)
- Change your password immediately if you suspect unauthorized access
Account Verification
Your account is linked to your Minecraft UUID, providing an additional layer of security:
- Each UUID can only be associated with one BFM account
- Attempts to create duplicate accounts are automatically blocked
- License verification happens on every mod launch
- Invalid or expired licenses are immediately revoked
Session Management
- Sessions expire after 24 hours of inactivity
- You can manually log out from all devices via account settings
- IP address changes may trigger re-authentication for security
- Suspicious login attempts are logged and may require email verification
đ¨ Threat Detection & Prevention
đĩī¸ Intrusion Detection
24/7 monitoring for suspicious activity, brute force attempts, and unauthorized access attempts.
đĄī¸ DDoS Protection
Cloudflare-powered DDoS mitigation protects our infrastructure from distributed attacks.
đ Rate Limiting
Intelligent rate limiting prevents abuse, spam, and automated attacks on our API endpoints.
đ Anomaly Detection
Machine learning models identify unusual patterns that may indicate security threats.
Automated Security Measures
- Brute Force Protection: Account lockout after 5 failed login attempts (15-minute cooldown)
- IP Reputation Filtering: Known malicious IPs are automatically blocked
- Geo-Blocking: Access from high-risk regions may require additional verification
- Bot Detection: CAPTCHA challenges for suspicious automated traffic
đŗ Payment Security
Stripe Payment Processing
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. This ensures:
- Your credit card information is never stored on our servers
- Payment data is encrypted and tokenized by Stripe
- We only receive the last 4 digits of your card for reference
- All transactions use 3D Secure authentication when available
âšī¸ What We Store
Regarding payment information, we only store:
- Transaction ID and amount (for your purchase history)
- Last 4 digits of card and expiration date (for identification)
- Stripe customer ID (for subscription management)
We never see or store your full card number, CVV, or billing address.
đŦ Security Audits & Testing
Regular Security Assessments
- Quarterly Security Audits: Independent third-party security assessments
- Penetration Testing: Ethical hackers test our systems for vulnerabilities
- Code Reviews: All code changes undergo security-focused peer review
- Dependency Scanning: Automated scanning for known vulnerabilities in libraries
Vulnerability Disclosure
We take security vulnerabilities seriously and encourage responsible disclosure:
- Report vulnerabilities to: [email protected]
- We respond to all reports within 48 hours
- Critical issues are patched within 7 days
- Responsible researchers may be acknowledged in our Hall of Fame
â ī¸ Responsible Disclosure Guidelines
- Do not publicly disclose the vulnerability before we've patched it
- Do not exploit the vulnerability for personal gain
- Provide detailed information to help us reproduce the issue
- Allow us reasonable time to fix the vulnerability before disclosure
đ Compliance & Certifications
Data Protection Regulations
Bazaar Flipper Mod complies with major data protection regulations:
- GDPR (General Data Protection Regulation): European Union data protection law
- CCPA (California Consumer Privacy Act): California privacy rights
- COPPA (Children's Online Privacy Protection Act): We do not collect data from users under 13
Industry Standards
- OWASP Top 10: Protection against the most critical web application security risks
- PCI-DSS Compliance: Through Stripe payment processing
- SOC 2 Type II: Cloud hosting infrastructure compliance (AWS/GCP)
đ Incident Response
Data Breach Protocol
In the unlikely event of a data breach, we have a comprehensive response plan:
- Immediate Containment: Isolate affected systems within 1 hour of detection
- Assessment: Determine scope and impact within 24 hours
- User Notification: Email affected users within 72 hours with details and guidance
- Remediation: Fix vulnerabilities and implement additional safeguards
- Post-Mortem: Publish a public incident report after resolution
What We'll Tell You
If you're affected by a breach, we will provide:
- What data was potentially compromised
- When the breach occurred and was discovered
- What actions we've taken to address it
- What steps you should take to protect yourself
- Contact information for questions and support
đ ī¸ Your Security Responsibilities
While we implement robust security measures, your cooperation is essential:
Do:
- â
Use a strong, unique password
- â
Keep your password confidential
- â
Log out when using shared computers
- â
Report suspicious activity immediately
- â
Keep your email address up to date
- â
Download BFM only from official sources
- â
Keep your Minecraft client and Java up to date
Don't:
- â Share your account credentials with anyone
- â Use public Wi-Fi without a VPN for account access
- â Click suspicious links in emails claiming to be from BFM
- â Install unofficial "cracked" or "modded" versions of BFM
- â Ignore security warnings or certificate errors
đ Contact Security Team
For security-related inquiries, please contact:
â ī¸ Reporting Suspicious Activity
If you notice any of the following, contact us immediately:
- Unrecognized logins or devices in your account
- Unexpected password reset emails
- Suspicious charges on your payment method
- Phishing emails impersonating BFM
- Unusual mod behavior or unauthorized data access
đ Security is a Partnership
We're committed to maintaining the highest security standards, but we need your help. If you notice anything suspicious or have security concerns, please don't hesitate to reach out. Together, we can keep the BFM community safe and secure.
Back to Dashboard