Coordinated Disclosure Process
How the disclosure was conducted, sourced from the maintainer’s coordinated-disclosure repository.
Definition
Coordinated vulnerability disclosure is the practice of reporting a vulnerability privately to a vendor (and, where applicable, to a recognized coordinator such as CERT/CC or CISA) before publication of technical detail.
Capacity in which the disclosure was made
Per the maintainer’s repository, the October 14, 2025 disclosure to Gardyn and the December 11, 2025 escalation to CERT/CC were both made by Michael Groberman in his capacity as an affected Gardyn customer with technical knowledge. Standing for the disclosure was first-person: the records returned by the affected /api/users endpoint included the discloser’s own account record, and the device on which unauthenticated remote code execution was demonstrated was a Gardyn device the discloser owned. The public “security researcher” role began with the publication of CISA advisory ICSA-26-055-03 on February 24, 2026, in which CISA credits Michael Groberman as the reporting researcher.
Stages, per the maintainer’s repository
| Stage | Date | Public detail released |
|---|---|---|
| Initial private vendor disclosure as an affected customer with technical knowledge (covering the unauthenticated PII exposure on /api/users and unauthenticated RCE on a Gardyn device the discloser owned) | October 14, 2025 | None |
| CERT/CC escalation after vendor silence, still in the discloser’s customer capacity (parent case VU#653116); 58 days after initial disclosure | December 11, 2025 | None |
| /api/users endpoint stops responding (vendor action observed) | December 18, 2025 | None |
| iothubowner credential rotated (vendor action observed) | January 22, 2026 | None |
| CISA ICSA-26-055-03 published (4 CVEs); CISA credits Michael Groberman as reporting researcher; public “researcher” role begins | February 24, 2026 | CISA advisory |
| CISA Update A (10 CVEs) | April 2, 2026 | CISA advisory updated |
| This documentation site | April 26, 2026 | Material already in public record |
Scope of the October 14, 2025 initial disclosure
Per the maintainer’s repository, the October 14, 2025 disclosure to Gardyn covered:
- The unauthenticated PII exposure on the /api/users endpoint, later assigned CVE-2026-28766. The discloser’s own Gardyn customer account record was among the records returned by the affected endpoint, providing first-person standing for the disclosure.
- Unauthenticated remote code execution on a Gardyn device the discloser owned, demonstrated through the combination of CVE-2025-1242 (hardcoded iothubowner credential) and CVE-2025-29631 (command injection in the upgrade() routine).
Per the maintainer’s repository, the December 11, 2025 CERT/CC engagement was an escalation following vendor silence on the October 14, 2025 disclosure, not the first mention of these issues.
Coordinators
- The vendor (Gardyn Inc.) — first contacted October 14, 2025 by an affected customer with technical knowledge.
- CERT/CC (Carnegie Mellon University, Software Engineering Institute) — engaged December 11, 2025 as escalation; parent case VU#653116 (github.com/MichaelAdamGroberman/VU653116).
- CISA — published ICSA-26-055-03 on February 24, 2026 and Update A on April 2, 2026.
Material withheld pre-publication
Per the maintainer’s repository, no technical detail of the vulnerabilities was published prior to CISA publication. No proof-of-concept code was released. No data drawn from the affected exposure was retained.
Material on this site
This site reproduces only material that has already been published by CISA, NVD, MITRE, by the maintainer in the public coordinated-disclosure repository, or by Gardyn in customer-facing posts. The site does not publish:
- Working exploit code beyond what is implicit in CISA’s public summary.
- Live credentials, keys, or other secrets.
- Any data drawn from the affected exposure.
See the methodology page.
Embargoed material
Communications on the CERT/CC VINCE coordination platform and pre-publication communications with the vendor are subject to coordination embargoes and are not reproduced on this site.
Maintainer policy
The maintainer:
- Coordinates findings through recognized channels (vendor PSIRT, CERT/CC, or CISA) before public release.
- Welcomes corrections from any party at corrections@gardyn-security-incident.info.
- Maintains dated correction logs rather than overwriting prior text.
- Does not publish, sell, or share data drawn from any affected exposure.