Scope

In-scope: gao.systems, docs.gao.systems, key.gao.global, store.gao.global, crm.gao.global, gao.global, app.gao.social/world, and public repositories under github.com/gao-systems.

Out of scope: legacy or experimental orgs not operated by Gao Systems, third-party services merely linked from our surfaces, and attacks requiring physical access to a user's device.

How to disclose

Preferred channel: security@gao.systems. Include a clear, reproducible description of the issue, the affected surface, and any proof-of-concept needed to reproduce.

We will acknowledge receipt within a reasonable period and keep you informed of remediation progress. We ask that you give us a reasonable time window to remediate before any public disclosure.

Safe harbour

Good-faith research consistent with this policy will not be subject to legal action by Gao Systems. Do not access, modify, or exfiltrate data that is not yours; do not degrade service for other users; do not exploit findings beyond what is necessary to demonstrate the issue.

Out-of-scope severity

Reports of theoretical risks without a reproducible impact, social-engineering tests against employees, and findings on third-party-hosted infrastructure are likely to be marked informational. We still appreciate the report.

Acknowledgements

We may, with your permission, acknowledge responsibly disclosed issues in release notes or in this section. Acknowledgement is not a substitute for any bounty programme; a formal programme may be announced separately.

Contact

security@gao.systems