Skip to content

Security

Vulnerability Disclosure Policy

We value the security community. Here's how to work with us.

Introduction

Rollio, Inc. takes the security of our systems seriously and values the security research community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users. This Vulnerability Disclosure Policy (VDP) outlines the rules of engagement for security research on Rollio systems.

Researcher Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope defined below.
  • Use the identified communication channels to report vulnerability information to us.
  • Keep information about any discovered vulnerabilities confidential between yourself and Rollio until we've had 90 days to resolve the issue.

If you follow these guidelines, we commit to:

  • Not pursue or support any legal action related to your research.
  • Provide an initial acknowledgment of your report within 72 hours of submission.
  • Work with you to understand and resolve the issue quickly.
  • Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on it.

Scope

In scope:

  • rollio.ai and all subdomains
  • The Rollio autonomous agent platform
  • Rollio's published APIs

Out of scope:

  • Services hosted by third-party providers — report directly to those vendors.
  • Physical testing (e.g., office access, tailgating).
  • Social engineering attacks (phishing, vishing).
  • Applications or systems not listed in the scope section above.
  • UI/UX bugs and spelling mistakes.
  • Network-level Denial of Service (DoS/DDoS) vulnerabilities.

Our Response Timeline

Initial acknowledgment

Within 72 hours

Triage and severity assessment

Within 5 business days

Remediation (critical/high)

Within 30 days

Coordinated public disclosure

After 90 days or when resolved

How to Report

If you believe you've found a security vulnerability in Rollio products or platforms, please email us at:

security@rollio.ai

Please include in your report:

  • · Description of the vulnerability and its potential impact
  • · Location of the affected component (URL, endpoint, or API)
  • · Detailed steps to reproduce, including any PoC scripts, screenshots, or screen captures
  • · Your name or handle for Hall of Fame recognition (optional)

Please do not include personally identifiable information (PII) or credit card holder data in your report.

What We Do Not Accept

The following activities are out of scope and may result in legal action:

  • Accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability.
  • Denial-of-service attacks against Rollio infrastructure.
  • Social engineering Rollio employees or customers.
  • Automated scanning that generates excessive load on our systems.

This policy was last reviewed on May 29, 2025. We may update it from time to time.

Found something? Let us know.

We acknowledge all valid reports within 72 hours.