Vulnerability Disclosure Policy

1. Introduction

Roland Corporation ("Roland" or "the Company") has established a Vulnerability Information Management System to address potential and confirmed technology-based vulnerabilities.
This Vulnerability Disclosure Policy applies to vulnerabilities that you are considering reporting to us.
We encourage you to read and fully comply with this Vulnerability Disclosure Policy before submitting a report to us.

2. Vulnerability Reporting Guidelines

• Do not cause any damage, harm or loss of any kind to any person or organization in the process of investigating, preparing, submitting, and discussing a report.
• Always act in accordance with applicable national and local laws and regulations.
• Do not disclose suspected vulnerabilities to third parties before they are resolved, as they could be exploited to cause damage or loss to individuals or organizations.
• Do not use physical security attacks, social engineering, or other illegal means to detect vulnerabilities.
• Do not exploit, test, or otherwise use the suspected vulnerability.

3. Submitting a Vulnerability Report

If you have discovered a potential vulnerability in the listed products on "5. Included Products", please submit a report to the following Vulnerability Contact secure email address:

psirt-info@roland.com

When creating a vulnerability report, please provide the following information:

1. Name of the product, app, or service containing vulnerability
2. Version of the product containing the vulnerability if applicable (e.g. computer or device OS name and version, app version etc.)
3. Type of vulnerability, if known (buffer overflow, RCE, etc.)
4. Detailed steps/procedure for reproducing the vulnerability.
5. Proof-of-concept code or attack code, if known.
6. Potential impact of vulnerabilities.
7. The reporter's contact information (company name, department, department supervisor, country/region, address, telephone number, e-mail address, etc.)

When you contact us to report a vulnerability, we ask that you use encryption or some other means to ensure the secure transfer of all information being reported.
Finally, by submitting a vulnerability report, you authorize Roland to contact you for further information if necessary.

4. Vulnerability Report Response

Roland typically acknowledges receipt of received vulnerability reports within 7 business days. Upon receipt, we will work with the reporter to confirm and if necessary resolve the vulnerability, usually within 180 business days.
Periodic updates will be made while we work towards confirmation and resolution, and a final update will be made when the vulnerability is fully resolved.
We will only accept reports for products listed in "5. Included Products". Any other reports will not be accepted.

5. Included Products

This Vulnerability Disclosure Policy applies to network-connected hardware products, apps, and services from Roland.
As the list of included hardware expands, specific models will be listed here as part of the Policy.

Vulnerability Support Window by Model

Updated: October 1, 2024