Vulnerability disclosure.

This policy covers our public web properties, including guardino.ai and guardinotechnologies.com, the signed-in dashboard, our APIs, and our public-facing DNS and application infrastructure.

Out of scope: third-party services we do not operate, volumetric denial-of-service testing, social-engineering of our staff or customers, and physical attacks.

Email support@guardino.ai with a clear description, the steps to reproduce, affected URLs or endpoints, and any proof-of-concept. A machine-readable security.txt is published at /.well-known/security.txt.

Please give us a reasonable time to investigate and remediate before any public disclosure, and do not access, modify or exfiltrate data beyond the minimum needed to demonstrate the issue.

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorised, will not pursue or support legal action against you, and will work with you to understand and resolve the issue quickly.

This authorisation does not extend to actions that violate the privacy of our users, destroy data, degrade our services, or break applicable law.

We aim to acknowledge reports within 3 business days, to provide a remediation timeline after triage, and to keep you informed through resolution.

We are happy to credit researchers who wish to be named. We do not currently operate a paid bug-bounty programme; this may change and will be announced here.

Security reports: support@guardino.ai

Preferred languages: English, Turkish.