How to Approach a company about building an HA integration on their API?

Hi, fan of the show here.

I have a question about the right way to approach a company (or whether to do so at all) when you want to publish an API (or a Home Assistant integration) that works with their hardware.

To be more specific, I've had a new heating system installed last week, and it has a web UI for modifying settings and reading temperatures, pressures, and other metrics that I'm interested in for recording, visualising and creating automations for in Home Assistant. 

From the web UI I can see that the system is designed with security in mind - each request must contain various tokens generated with a combination of AES256 encryption, MD5 and SHA512 hashing of the rest of the request, along with device-provided keys and various state-tracking. 

This is all done with several handshakes, and on the client side it's done via javascript, so scraping isn't trivial - but that also means it can be read, and that's the approach I took.

I managed to reverse the token generation and now have a working python library for interacting with this device. I can read off all of the stats I wanted to, modify core settings, and I'm almost ready to write a Home Assistant integration for it.

And that's where I got to before it dawned on me that this was hard to crack for a reason. The company may not want me to be able to interact with their system this way, even if I'm the owner of it. 

They almost certainly wouldn't want me open sourcing an API to interact with it. They mainly operate in Europe and aren't a huge company.

How should one go about this scenario? Should I open source my library and hope for the best? Should I contact the company and gain permission - and what's the best way of approaching them? Should I keep it to myself? Should I just keep it to myself? Or should I stop using my code altogether?

Thanks,
Jake