FAQ
Operator-facing answers. If your question isn't here, [email protected] is the right address — and almost always faster than guessing.
I think a player flag is a false positive — what should I do?
Open the verdict from the dashboard's Recent detections feed and read the flag list. If you're confident it's a false positive, send a short note to [email protected] with the player identifier (any one of them is enough) and what you observed. We treat appeals under the DSA's notice-and-action framework — you'll get a written reply with the outcome.
Don't whitelist the player from your dashboard until we've confirmed the appeal — an over-eager whitelist is itself a signal we look at.
How do I whitelist a custom resource the backdoor scanner keeps flagging?
Open the dashboard → Server → Resource hygiene. The flagged resource has a Mark trusted action. Add a short reason; it ends up in the audit log so future you (or another operator on your team) knows why this resource is exempt. See Server setup for the longer write-up.
How often do detection rules update?
Tuning changes (threshold adjustments, whitelist additions) ship roughly weekly and are applied server-side — you don't need to update the on-server resource for those. Structural changes (new families, new verdict strings, on-server changes) are announced ahead of time in the operator Discord; the on-server resource ships with an explicit version, and you upgrade when you're ready.
We don't publish a live changelog on these docs on purpose — Discord is the authoritative channel and a public changelog tends to ossify into a date-promise page that gets out of sync. If you want the announcements, the operator Discord channel link is in your pilot package.
When should I use the Discord-verify emergency bypass?
Only when Discord-side verification can't reach a verdict for reasons unrelated to your players: Discord is down, your bot was removed from the guild, the guild ID drifted. Don't use it for individual players. Each request is capped at one hour and your server has at most 24 hours of cumulative bypass per 30 days; fixed budget is intentional. See Discord verify.
What happens to my data?
Connect-path metadata (identifiers, IP, network signals) is processed in the EU (Hetzner Germany) under the published retention windows. The full picture lives in the Privacy Policy §9; the short version is: action-related logs are retained 7 days, scan logs 30 days, and you can request export or deletion under GDPR Art. 15 / Art. 17 by emailing [email protected].
I don't see my server in the dashboard yet.
New servers show up after the first successful connect-path request from the on-server resource. If you've completed the Quickstart and still don't see anything after a few minutes, the most common causes are: the API key was pasted into the wrong server's config.lua, outbound TCP/443 to api.hoaxeye.net is blocked, or the resource isn't actually started (check server.cfg's ensure line).
Where do I report a security issue with hoaxeye itself?
The disclosure address is on the security page. Please email rather than opening it on a public channel — we appreciate the heads-up window before disclosure.