Unless it's security by obscurity, releasing the source code of the entire infrastructure should never result in all systems becoming compromised. So, assuming the API is run over HTTPS with authentication tokens, Chamberlain wouldn't need to (and should under no circumstances) release its SSL certificates' private keys. Instead, the firmware and server infrastructure should be easily modified by the user to point to their own servers (or get rid of intermediate servers and directly be usable on the local network, which is the only good solution anyway).
