Coordinated Disclosure Process
How the disclosure was conducted, sourced from the researcher’s coordinated-disclosure repository.
Definition
Coordinated vulnerability disclosure is the practice of reporting a vulnerability privately to a vendor (and, where applicable, to a recognized coordinator such as CERT/CC or CISA) before publication of technical detail.
Stages, per the researcher’s repository
| Stage | Date | Public detail released |
|---|---|---|
| Initial vendor disclosure | October 14, 2025 | None |
| CERT/CC disclosure (parent case VU#653116) | December 11, 2025 | None |
| /api/users endpoint stops responding (vendor action observed) | December 18, 2025 | None |
| iothubowner credential rotated (vendor action observed) | January 22, 2026 | None |
| CISA ICSA-26-055-03 published (4 CVEs) | February 24, 2026 | CISA advisory |
| CISA Update A (10 CVEs) | April 2, 2026 | CISA advisory updated |
| This documentation site | April 26, 2026 | Material already in public record |
Coordinators
- The vendor (Gardyn Inc.) — first contacted October 14, 2025 per the researcher’s repository.
- CERT/CC (Carnegie Mellon University, Software Engineering Institute) — engaged December 11, 2025; parent case VU#653116 (researcher repository at github.com/MichaelAdamGroberman/VU653116).
- CISA — published ICSA-26-055-03 on February 24, 2026 and Update A on April 2, 2026.
Material withheld pre-publication
Per the researcher’s repository, no technical detail of the vulnerabilities was published by the researcher prior to CISA publication. No proof-of-concept code was released. No data drawn from the affected exposure was retained.
Material on this site
This site reproduces only material that has already been published by CISA, NVD, MITRE, by the researcher in the public coordinated-disclosure repository, or by Gardyn in customer-facing posts. The site does not publish:
- Working exploit code beyond what is implicit in CISA’s public summary.
- Live credentials, keys, or other secrets.
- Any data drawn from the affected exposure.
See the methodology page.
Embargoed material
Communications on the CERT/CC VINCE coordination platform and pre-publication communications with the vendor are subject to coordination embargoes and are not reproduced on this site.
Researcher policy
The maintainer:
- Coordinates findings through recognized channels (vendor PSIRT, CERT/CC, or CISA) before public release.
- Welcomes corrections from any party at corrections@gardyn-security-incident.info.
- Maintains dated correction logs rather than overwriting prior text.
- Does not publish, sell, or share data drawn from any affected exposure.