This page mirrors the project's TRUST.md. Same content. If something here is inaccurate, file an issue or email security@.
Roster's MSI does not carry an Authenticode signature, and the plan is to keep it that way for the foreseeable future. When you run the installer for the first time, Windows SmartScreen will warn you. To proceed, click More info → Run anyway.
Get-FileHash on the file you downloaded, compare against the value in the release notes; if they match, the file is byte-for-byte what we published.If you would not run an unsigned MSI under any circumstance, do not run Roster. We're not planning to change this. The Download page publishes the SHA-256 for every release.
The vault, the refresh logs, the audit log, the account settings, your tilings, the master password (only ever as an Argon2id-derived key in memory), every cookie, every CSRF token, every captured response body. All of it. The application would still work if you firewalled it from everything except Roblox.
Roster's refresh loop talks to Roblox's web API on each account's behalf. These calls go through the same hosts your browser would hit: auth.roblox.com, users.roblox.com, accountsettings.roblox.com, and a small set of others. We never touch the game client's own sockets.
.ROBLOSECURITY cookie whenever any session uses it. If you log into an account through your browser, your phone, or another tool while that account is in Roster's vault, Roblox can hand a new cookie to that other session and the one Roster holds stops working until you log in again. Use each account through Roster or through another tool, not both at the same time.Roster polls GitHub Releases for the project on a one-hour cadence. If a newer version is available, the Velopack release package is downloaded in the background and applied on next launch. The release package is Ed25519-signed; the app rejects any update whose signature doesn't verify against a key compiled into the binary at build time. The signing keypair is held by the maintainer, not by GitHub.
If you've bought Pro, activation sends your activation code plus a hardware fingerprint hash to api.accountroster.com, and you get back an Ed25519-signed licence token bound to that fingerprint. After activation, the app re-asks the endpoint for a fresh token once per day; in between, verification is entirely local. Lifetime grants skip the daily refresh because the token has no expiry. See Privacy for the full description of what's sent and what's kept.
That's the entire list. No analytics, no crash pings, no feature-usage tracking. The Free tier additionally loads the AdsJumbo SDK for two placements — a banner in the workspace side rail and one video ad before each Roblox launch; Pro removes both.
Roster lets you manage and launch multiple Roblox accounts from one machine. It deliberately doesn't try to make those accounts look like they come from different machines.
Every account you launch through Roster talks to Roblox from your machine's IP. If Roblox applies an IP-level rate limit, captcha, or sanction, every account on the same connection is reachable from the same source. We looked at per-account proxy routing for v1 and dropped it — the kernel-driver footprint, the kill-switch failure modes, and the support load for "my proxy died and my cookie is now on my home IP" were all wrong for a one-person product. There is no current plan to add it.
Roblox's client collects HWID-style data (MAC addresses, disk serials, SMBIOS fields). Every account launched from this machine shares that fingerprint. An HWID-level sanction against one alt can implicate the others on the same host. Roster does not spoof HWID — that would require drivers or client modification, which is exactly the territory we promise to stay out of.
Captcha challenges, "I Agree" walls, age-gated content, payment-method restrictions, account-age requirements, and any moderation action Roblox takes against a specific account are unaffected by Roster. Moderation auto-agree (Pro) only acknowledges the lowest-severity prompts (ToS re-accepts and cosmetic warnings); anything heavier than that surfaces to you.
Hyperion / Byfron evaluates what happens inside the Roblox client during gameplay. How you launched the client is not a substitute for behaving well in-game. Exploits, scripts, and policy-violating gameplay can get an account banned regardless of whether it came through Roster.
In short: Roster is a launcher and a vault, not a disguise. If your use case requires looking like a different person to Roblox, that's a different product than this one.
Roster's account vault is a single encrypted file at %LocalAppData%\Roster\vault.bin. Each per-account secret inside it is wrapped twice:
Plaintext cookies live in process memory only, only for the milliseconds it takes to make one authenticated call. They are zeroed on return.
Every Roster release is built from a tagged commit on the public repository. The release runbook in docs/runbooks/release.md documents the exact steps. For each release we publish the MSI installer, the Velopack release package, and the SHA-256 of every file in the release notes.
The Velopack release package is signed with an Ed25519 key held by the maintainer; the auto-updater refuses to apply an unsigned or wrong-signature update. The signing key is not stored in a CI runner and not accessible from any GitHub-hosted environment.
Dependencies are pinned to specific versions via Directory.Packages.props with --locked-mode restore in CI; transitive licences are audited in THIRD_PARTY_LICENSES.md.
If you find a security issue in Roster, please tell us before you tell anyone else. We will respond, fix, and credit you (unless you ask us not to).