Public Record: Discrepancies
Side-by-side of statements published by Gardyn against findings in CISA advisory ICSA-26-055-03 and the researcher’s coordinated-disclosure repository.
Source documents on each side
| Federal advisory | CISA ICSA-26-055-03 (Update A, April 2, 2026) |
|---|---|
| Researcher repository | github.com/MichaelAdamGroberman/ICSA-26-055-03 |
| Vendor security update post | mygardyn.com/blog/security-update/ |
| Vendor Privacy Policy | mygardyn.com/policy/privacy/ |
| URL referenced in CISA mitigation guidance | https://mygardyn.com/security/ (HTTP 404 as of April 26, 2026) |
Item-by-item pages
- Vendor public statements — the customer-facing security update post
- Vendor Privacy Policy
- Vendor security page URL
- Vendor Terms of Service
The single direct quotation on this site
From the FAQ section of Gardyn’s customer-facing security update post: “These vulnerabilities did not expose payment card information.” (Source: mygardyn.com/blog/security-update/.)
Per the researcher’s coordinated-disclosure repository, the records returned by the affected /api/users endpoint included the last_four partial payment-card field for approximately 134,215 customers.
What this site does not say
This site does not characterize Gardyn’s statements. It documents the public record on each side and links to primary sources. Reconciliation is left to the reader and to any regulator or attorney with appropriate jurisdiction. If Gardyn or any party believes a statement on this site is inaccurate, see the correction process on the methodology page.