Revenue Optimization & Intelligence serves healthcare billing professionals. The security and integrity of our platform is critical to our users and to the patients whose data our users manage. We take every security concern seriously and we genuinely appreciate the work of security researchers who help us find and fix vulnerabilities before they can be exploited.
This Vulnerability Disclosure Policy describes how to report security vulnerabilities responsibly, what you can expect from us, and what we ask of you in return.
We will acknowledge receipt of your report within 48 hours of receiving it.
We will investigate every report promptly and in good faith, and keep you informed of our progress.
We will not pursue legal action against researchers who act in accordance with this policy and in good faith.
We ask that you give us reasonable time to remediate before public disclosure. We aim to resolve critical issues within 90 days.
With your permission, we will acknowledge your contribution in our security acknowledgments once the issue is resolved.
We will keep your report confidential and will not share your personal information without your consent.
We are interested in hearing about any vulnerability that could affect the security or privacy of our platform, our users, or data we hold. This includes:
Authentication or authorization vulnerabilities (bypassing login, accessing other users' accounts); injection vulnerabilities (SQL injection, XSS, command injection); sensitive data exposure (unencrypted data in transit or at rest, exposed credentials or API keys); misconfigured infrastructure (open ports, publicly exposed admin panels, S3/OCI bucket misconfigurations); insecure direct object references (accessing data you shouldn't have access to); and security header or SSL/TLS configuration issues.
To qualify for protection under this policy, researchers must act in good faith and comply with the following guidelines. Researchers who do not follow these guidelines are not covered by our safe harbor commitment.
Do: Test only against accounts you own or have explicit written permission to test. Stop immediately if you encounter actual user data or PHI — document what you found and report it without further access. Give us a reasonable time to remediate before public disclosure (90 days for critical issues, 30 days for others).
Do not: Access, exfiltrate, modify, or delete data beyond what is necessary to demonstrate the vulnerability. Conduct tests that could degrade or disrupt service. Violate the privacy of any ROI user or patient. Use automated scanning tools that generate excessive traffic without prior written approval. Demand payment in exchange for vulnerability information — this will be treated as extortion.
Send your report to compliance@roithatworks.com with the subject line "Security Disclosure." Please include:
• A clear description of the vulnerability and its potential impact
• Step-by-step reproduction instructions
• Screenshots, videos, or proof-of-concept code (if applicable)
• The URL or component affected
• Your name or handle (if you want credit) and preferred contact method
You may encrypt sensitive reports using PGP if you prefer — email us first to request our public key.
Email Security Disclosure →In accordance with RFC 9116, ROI maintains a security.txt file at roithatworks.com/.well-known/security.txt. Upload the following file to your server at that path:
To create this file: save the text above as a plain text file named security.txt, then upload it to /.well-known/security.txt on your web server. Update the Expires date annually.