Personal tools

Security

From Roll20 Wiki

Jump to: navigation, search

Roll20 employs industry-best 256-bit SSL encryption to help protect your data and your privacy. We also have security measures in place to keep others out of your campaign data unless you specifically invite them in, encrypt our backups, and more. Our goal is to provide you with the peace of mind to know that your games are safe while in our hands.

Reporting Vulnerabilities

That said, we're not perfect, and we know there will be bugs and things we haven't thought of. If you've found an exploit or vulnerability in Roll20, please report it to us as soon as possible at team+security@roll20.net. We would appreciate a 7-day (or longer) period to deal with any issues before they are revealed publicly, should you choose to do so. Unfortunately we do not offer any cash bounties for bug reports. We will list you on our Acknowledgements page if you disclose to us in a responsible manner.

Security vs. "Cheating"

Roll20 is unique in that it is a gaming platform which supports hundreds of different types of games. As a result, the game rules themselves are not really enforced by the Roll20 program. For example, while you should only be able to move tokens the GM has given you control over, you can move them however far you want even if the rules of your game specify the token can only move 10ft per turn. While you can only draw cards from decks that are visible to you, you can draw however many cards you want, even if the rules of your game specify "only draw 1 card per turn." The list here is endless.

Please do not submit "vulnerabilities" to us regarding enforcing game-specific rules, "cheating" at a game, etc. Roll20 is designed to emulate a tabletop, and as in real-life where there is no rules-enforcement robot sitting at your table making sure no one cheats, in Roll20 if a player wants to cheat they can probably find a way to do so. Tabletop games are played based on trust in the players and trust in the GM (or person running the game). Someone can steal from the bank in Monopoly, but they're just ruining the game for everyone, and no amount of automatic enforcement can stop them from doing that.

Examples of things that we are interested to hear about:

- You can join a game although you haven't been invited to it.

- You can log in as another user.

- You can view someone's Private Messages.

- You can join a game and completely wreck it (e.g. delete everything from the board)

Examples of things that are not security vulnerabilities but are rule-specific cheating:

- You can view the HP of someone else's token using the @{target} macro.

- You figured out a way to switch to a different page in the game.

- You figured out a way to temporarily disable the fog of war on your screen.

- You can view a character's stats even though you can't control that character.

So, to sum it up, we consider security vulnerabilities to be serious breaches of the core functionality of the site (e.g. accessing a game you shouldn't be able to), not ways around the light rules enforcement built into Roll20 (e.g. you shouldn't see a piece of text on the GM layer).

Heartbleed Vulnerability

We've received several emails about this, so we thought we would post an official response here. When the "Heartbleed" OpenSSL vulnerability was disclosed, we immediately checked our servers and did not find any that were running a vulnerable version of OpenSSL. We went ahead and upgraded everything to the latest patched version just to be safe, but at this time it is not necessary to change your password, and at no time was Roll20 vulnerable to this attack.