Hi,

I'm a security engineer at Patreon. Like most companies we take security reports from folks via security@patreon.com and support@patreon.com. The dedicated security email is the quickest route to the security team.

We also have an invite only HackerOne program where we've invited the top reporters on HackerOne. When folks send us a valid report via email we also add them to our HackerOne program for reward (we've paid out >$17,000 to security researchers to date). As with any developing bug bounty program we're still improving it and we plan to open up our HackerOne program soon.

While that's good to know, it's not me you should be telling this to now, it's this guy a few days ago: https://twitter.com/DMDeck16/status/889156464891371520 https://twitter.com/DMDeck16/status/890188665389010945

I dunno, it took me all of 20 seconds to go to their FAQ page and find the reporting email address for security issues (https://patreon.zendesk.com/hc/en-us/articles/115003872306-S...).

If this guy has been screaming into the void on Twitter waiting for an email address, then the problem is probably that he's using twitter.