When user sets their donation Privacy level to βSecretβ they are indicating that they donβt want to be identified by the donation recipient.
By exporting the patron_avatar_url
, in https://liberapay.com/<account_name>/patrons/export.csv
, the user might be exposed just by doing a reverse image search for such avatar.
I would hope that there is no gain in trying to deanonymise their donors, but including the avatar should not be needed and I hope it should be an easy fix.
I do not wish to be compensated in any way, the reason for using HackerOne is just that I donβt want to disclose the issue on Github. Thank you for your great service! :)