Roll20 employs industry-best 256-bit SSL encryption to help protect your data and your privacy. We also have security measures in place to keep others out of your campaign data unless you specifically invite them in, encrypt our backups, and more. Our goal is to provide you with the peace of mind to know that your games are safe while in our hands.

Reporting Vulnerabilities

That said, we're not perfect, and we know there will be bugs and things we haven't thought of. If you've found an exploit or vulnerability in Roll20, please report it to us as soon as possible at team+security@roll20.net. We would appreciate a 7-day (or longer) period to deal with any issues before they are revealed publicly, should you choose to do so. In addition, while we can't offer cash bounties for reports, we have been known to give free Mentor accounts to folks who report vulnerabilities to us in a responsible manner.

Heartbleed Vulnerability

We've received several emails about this, so we thought we would post an official response here. When the "Heartbleed" OpenSSL vulnerability was disclosed, we immediately checked our servers and did not find any that were running a vulnerable version of OpenSSL. We went ahead and upgraded everything to the latest patched version just to be safe, but at this time it is not necessary to change your password, and at no time was Roll20 vulnerable to this attack.