Vulnerability Disclosure Policy
Effective 2026-05-27 · Version 1 · LarsCo LLC · All legal documents
1. Summary
We welcome good-faith security research and reports of vulnerabilities affecting ROAMiQ Cloud, the ROAMiQ Connect add-on, the ROAMiQ companion app, and the firmware-server APIs. This policy describes the systems we want you to test, how to report what you find, and the protections we extend to researchers acting in good faith.
2. Scope
- *.roamiq.com web properties
- The ROAMiQ Cloud Home Assistant add-on
- The ROAMiQ companion mobile app (iOS)
- The firmware-server APIs at firmware-server.roamiq.com
- ROAMiQ-branded hardware firmware (Display Screen, Hub, motor relays, dimmers, BLE-link chips) when the device is in your possession
3. Out of scope
- Social engineering of LarsCo employees, customers, or vendors.
- Physical attacks against LarsCo facilities or staff.
- Denial-of-service attacks of any kind.
- Reports against third-party services (Stripe, Supabase, Cloudflare, Vercel, Microsoft, Klaviyo) — please report those to the third party directly.
- Findings derived from automated scanners without manual verification.
- Missing security headers without a working exploit chain.
- Reports that require an already-compromised account or device.
4. How to report
Email [email protected] with a clear write-up: affected system, reproduction steps, impact, and any proof-of-concept. Encrypt sensitive details with our PGP key (published on request) if desired.
5. Safe harbor
LarsCo will not pursue legal action or refer to law enforcement a security researcher whose conduct is consistent with this policy. We consider research conducted under this policy to be:
- Authorized under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and analogous state laws.
- Exempt from claims under the DMCA anti-circumvention provisions (17 U.S.C. § 1201(j)) for good-faith security research.
- Consistent with our Terms of Service and Acceptable Use Policy.
This safe harbor does not extend to access to accounts, data, or devices that are not your own; data exfiltration beyond what is necessary to demonstrate the finding; or public disclosure before we have had a reasonable opportunity to respond (see timeline below).
6. Response timeline
- Acknowledgement: within 5 business days.
- Initial triage: within 10 business days.
- Resolution target: 90 days for high-severity, 180 days for medium, best-effort for low.
- Coordinated disclosure: we ask researchers to refrain from public disclosure until a fix has shipped or 90 days have passed since the initial report, whichever is sooner.
7. Bounty
We do not currently offer a paid bug bounty. Notable reports receive public credit (with your permission) and ROAMiQ swag. We may upgrade to a paid program in the future via HackerOne or Bugcrowd.