Introduction
Rollio, Inc. takes the security of our systems seriously and values the security research community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. This Vulnerability Disclosure Policy (VDP) outlines the rules of engagement for security research on Rollio systems.
Researcher Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the scope defined below.
- Use the identified communication channels to report vulnerability information to us.
- Keep information about any discovered vulnerabilities confidential between yourself and Rollio until we've had 90 days to resolve the issue.
If you follow these guidelines, we commit to:
- Not pursue or support any legal action related to your research.
- Provide an initial acknowledgment of your report within 72 hours of submission.
- Work with you to understand and resolve the issue quickly.
- Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on it.
Scope
In scope:
- rollio.ai and all subdomains
- The Rollio autonomous agent platform
- Rollio's published APIs
Out of scope:
- Services hosted by third-party providers — report directly to those vendors.
- Physical testing (e.g., office access, tailgating).
- Social engineering attacks (phishing, vishing).
- Applications or systems not listed in the scope section above.
- UI/UX bugs and spelling mistakes.
- Network-level Denial of Service (DoS/DDoS) vulnerabilities.
Our Response Timeline
Initial acknowledgment
Within 72 hours
Triage and severity assessment
Within 5 business days
Remediation (critical/high)
Within 30 days
Coordinated public disclosure
After 90 days or when resolved
How to Report
If you believe you've found a security vulnerability in Rollio products or platforms, please email us at:
Please include in your report:
- · Description of the vulnerability and its potential impact
- · Location of the affected component (URL, endpoint, or API)
- · Detailed steps to reproduce, including any PoC scripts, screenshots, or screen captures
- · Your name or handle for Hall of Fame recognition (optional)
Please do not include personally identifiable information (PII) or credit card holder data in your report.
What We Do Not Accept
The following activities are out of scope and may result in legal action:
- Accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability.
- Denial-of-service attacks against Rollio infrastructure.
- Social engineering Rollio employees or customers.
- Automated scanning that generates excessive load on our systems.
This policy was last reviewed on May 29, 2025. We may update it from time to time.