As an employee of Patreon, we totally respect this decision. If other companies can learn from our mistakes (and, hopefully, our successes in encryption, disclosure, etc.), than that seems like the best thing that can come out of this.
While we were very aware of the dangers of the debugger, we ran with it anyway on our development servers because we were confident our development instances were behind our VPN, and the debugger is quite useful for... you know, debugging :D This server slipped through the cracks, and we were not fast enough to pull it back in.
What's definitely most upsetting is articles like this http://arstechnica.com/security/2015/10/patreon-was-warned-o... that were posted in response to your write-up which state that it was our production server which was compromised, and other inaccurate data.
Thanks for the reply.
I actually contacted Dan to clarify that specific statement. My guess is that he misunderstood "publicly available host" with production.
While we were very aware of the dangers of the debugger, we ran with it anyway on our development servers because we were confident our development instances were behind our VPN, and the debugger is quite useful for... you know, debugging :D This server slipped through the cracks, and we were not fast enough to pull it back in.
What's definitely most upsetting is articles like this http://arstechnica.com/security/2015/10/patreon-was-warned-o... that were posted in response to your write-up which state that it was our production server which was compromised, and other inaccurate data.