G

Responsible Disclosure

Responsible Disclosure

Overview#

Gao Internet values responsible security research and coordinated vulnerability disclosure.

If you believe you have identified a security issue affecting a Gao-operated service, public codebase, or developer-facing integration maintained by Gao, please report it responsibly.

This policy is intended to help researchers disclose issues safely and effectively.

Goals#

The goals of this policy are to:

  • protect users and developers

  • encourage responsible reporting

  • reduce the risk of public exploitation before remediation

  • provide a clear communication path for security issues

What to Report#

Please report issues such as:

  • authentication or authorization bypass

  • exposed sensitive data

  • payment flow vulnerabilities

  • domain or identity spoofing risks

  • service integrity issues

  • infrastructure misconfiguration

  • privilege escalation

  • signing flow confusion that could materially affect user safety

  • AI or agent permission bypass in Gao-operated systems

Out of Scope#

The following are generally out of scope unless they create clear user harm or significant system risk:

  • low-risk informational issues

  • best-practice suggestions without exploitability

  • theoretical issues without a realistic attack path

  • issues only affecting unsupported or modified third-party deployments

  • vulnerabilities in third-party services not controlled by Gao

Reporting Process#

When reporting an issue, please include:

  • affected component

  • description of the issue

  • impact assessment

  • reproduction steps

  • proof of concept if safe and appropriate

  • suggested remediation if available

Please provide enough detail for the issue to be validated.

Coordinated Disclosure Expectations#

Researchers are asked to:

  • avoid public disclosure before remediation or coordination

  • avoid actions that harm users, services, or data

  • avoid exploiting the issue beyond what is necessary to demonstrate impact

  • avoid accessing data that is not necessary for validation

Gao will make reasonable efforts to investigate and respond in a timely manner.

Safe Research Expectations#

Please do not:

  • exfiltrate user data

  • disrupt service availability

  • access accounts or assets without authorization

  • perform destructive testing on production systems

  • attempt extortion or coercive disclosure

Security research should be conducted in good faith.

Response Goals#

Gao aims to:

  • acknowledge receipt of valid reports

  • investigate credible findings

  • coordinate remediation where appropriate

  • communicate status updates when possible

Response times may vary depending on severity and operational complexity.

Disclosure Resolution#

Once a vulnerability is remediated, Gao may choose to:

  • publish a security notice

  • credit the reporting researcher

  • include the issue in postmortem or release notes

  • consider eligibility under the Bug Bounty program

How to Report#

Security disclosures should be submitted through Gao’s official security contact channel.

Contact: security@gao.internet

If a dedicated disclosure portal is introduced later, this document will be updated accordingly.

Gao supports good-faith security research conducted in accordance with this policy.

Researchers acting in good faith and following this policy are more likely to enable safe and coordinated remediation.

This policy does not grant authorization for harmful, destructive, or unlawful activity.