We take security seriously and welcome good-faith vulnerability reports to help keep GAO Internet safe.

This policy applies to security vulnerabilities affecting:

• GAO Internet websites and documentation
• GAO Internet Gateway services and APIs/SDKs
• GAO Internet Network services and supporting infrastructure
• Official client applications/components we publish (if applicable)

Third-party services (blockchains, wallets, dApps, external providers) are out of scope unless the vulnerability is in our integration code.

Email: [email protected]

Please include:

• Affected component(s) and environment
• Steps to reproduce (proof-of-concept if available)
• Expected vs. observed behavior
• Impact assessment and any suggested mitigation

If you require encrypted communication, request our PGP key.

We will not pursue legal action for good-faith research that:

• Avoids privacy violations, data destruction, and service disruption
• Uses the minimum testing necessary to confirm the issue
• Does not access or exfiltrate data beyond what is strictly needed to demonstrate impact
• Does not degrade availability (no DDoS, no load testing) without written permission
• Complies with applicable law

• Please do not publicly disclose the issue until a fix or mitigation is available.
• We will acknowledge receipt within a reasonable time and coordinate a disclosure timeline.

• Social engineering, physical attacks, or threats to employees/users
• Volumetric DDoS testing or large-scale automated scanning
• Reports that are “best practice only” without demonstrated security impact
• Issues requiring compromised devices/accounts unrelated to a platform vulnerability

For suspected active exploitation: [email protected]

General support: [email protected]

You may publish the following file at:

/.well-known/security.txt

Contact: mailto:[email protected]
Contact: mailto:[email protected]
Policy: https://gao.systems/security-disclosure
Preferred-Languages: en, vi
Canonical: https://gao.systems/.well-known/security.txt