Heartbleed Fix has scanned both app.roll20.net and marketplace.roll20.net and found it not vulnerable to the heartbleed exploit. That said, I believe Roll20 uses a third party for account payment information. The upshot of that is even if Roll20 were vulnerable, an attacker wouldn't get things like users' financial information; at worst, they'd gain DB access, delete campaigns, and send spam email. On the other hand, without knowing what that third party vendor is, I can't say whether they're vulnerable. ~_^ Note that only the OpenSSL implementation of SSL/TLS is vulnerable to heartbleed . OpenSSL is by and large only in use on *nix servers, while IIS (Windows) servers use an alternate implementation that is not vulnerable. Further, OpenSSL version 1.0.1g was released in less than 48 hours of the exploit's discovery, fixing the vulnerability, and the fix was also backported to other 1.0.1 versions; closing a server's vulnerability to the bug takes less than two minutes of a server administrator's time. (I should know, I did it myself on my personal server.) (Interesting side note: the vulnerability in OpenSSL was committed to the repository at ~11:58pm on a New Years' Eve, and was written by the same guy who proposed the heartbeat extension to TLS in the first place -- the very piece of the protocol being exploited by the bug.)
