Public Record: Discrepancies

Side-by-side of statements published by Gardyn against findings in CISA advisory ICSA-26-055-03 and the maintainer’s coordinated-disclosure repository.

Item-by-item analyses

Vendor public statementsCustomer-facing security update post: payment-card claim, information-at-risk scope, breach characterization, researcher and dates, firmware fix version, “Published” date changes, CVE-list expansion, wording revisions, detectability of access Vendor Privacy PolicyInformation Security Program description vs captured exposure (least-privileged access), payment information, breach notification, California disclosure, internal contradictions, dating-history, session-replay disclosure Vendor security page URLHTTP behavior of mygardyn.com/security/ referenced in CISA mitigation guidance: 301 redirect to /blog/security-update/ per April 27, 2026 capture Vendor Terms of ServiceEffective Date revised six and a half years forward, document size and word-count changes, snapshot index, Section 10 device-security and security-testing prohibition additions

Source documents on each side

Document	Live source	Local archive
Federal advisory	CISA ICSA-26-055-03 (Update A, April 2, 2026)	—
Maintainer repository	github.com/MichaelAdamGroberman/ICSA-26-055-03	—
Vendor security update post	mygardyn.com/blog/security-update/	archived copy
Vendor Privacy Policy	mygardyn.com/policy/privacy/	archived copy
Vendor Terms of Service	mygardyn.com/policy/terms-of-service/	archived copy
URL referenced in CISA mitigation guidance	`https://mygardyn.com/security/` (HTTP 301 redirect to https://mygardyn.com/blog/security-update/ as of April 29, 2026)	archived copy

Local archives are preserved as fetched on the dates listed in /captures/manifest.json. Live URLs are linked first; archives serve as primary record if a live URL changes or returns a different status.

Vendor page edits over time

Three vendor pages have been captured at multiple points during the disclosure window and are mirrored locally with primary-source links to web.archive.org:

Wayback Machine captures index — mirrored captures across three vendor pages, with capture timestamps, JSON-LD dateModified, body “Last updated” or “Effective Date” strings, and SHA-256 hashes. Per-page enumerations appear in the item-by-item discrepancy pages below.

The dated edit observations for each page are documented in the corresponding item-by-item discrepancy page below.

The single direct quotation on this site

From the FAQ section of Gardyn’s customer-facing security update post: “These vulnerabilities did not expose payment card information.” (Source: mygardyn.com/blog/security-update/; preserved at archived copy.)

Per the maintainer’s coordinated-disclosure repository, the records returned by the affected /api/users endpoint included a partial payment-card field (last_four), not full card number or CVV for approximately 134,215 customers.

What this site does not say

This site does not characterize Gardyn’s statements. It documents the public record on each side and links to primary sources. Reconciliation is left to the reader and to any regulator or attorney with appropriate jurisdiction. If Gardyn or any party believes a statement on this site is inaccurate, see the correction process on the methodology page.