Publish canonical activity front page

This commit is contained in:
Joseph R. Goydish II
2026-05-21 13:09:55 -07:00
parent ebe1b69bcd
commit 344a6beb62
10 changed files with 594 additions and 195 deletions
+56 -105
View File
@@ -1,126 +1,77 @@
# "For the Record"
# Joseph R. Goydish II
This repository serves as the canonical, cryptographically anchored ledger of my security research (Track B) and regulatory/whistleblower disclosures (Track A).
Public-interest technical record, evidence preservation, and signed activity ledger.
This system is built on an **Active Forensic** architecture. I do not ask for trust; I provide the third-party cryptographic and institutional anchors required for independent verification.
This profile indexes public records, signed ledger entries, submissions, receipts, hashes, and supporting artifacts that can be checked independently. The strongest current anchors are two CNVD/CNCERT certificate exhibits naming `Joseph Goydish` as contributor for Apple vulnerability records, plus a five-CVE CISA/NVD rescore trail tied to public vulnrichment filings.
## Core Metrics
- **Total Cases:** 27
- **Verifiable Timeline Events:** 187
- **High-Impact CVE Rescores:** 5 (3× CVSS 10.0, 2× CVSS 9.8)
- **Institutional Jurisdictions:** 12
- **Cryptographic Root:** PGP Fingerprint `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
## Canonical Record
---
For the visual front page, open [`index.html`](./index.html). If GitHub Pages is enabled for this repository, that file is the browser landing page for the canonical activity record.
## 🛡️ Identity & Verification
The full chronological record remains in [`Running-Ledger`](https://github.com/JGoyd/Running-Ledger): submissions, receipts, DKIM/e-signed evidence, reference numbers, packet hashes, and signed ledger entries.
### PGP Public Key
- **Fingerprint:** `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
- **Verification:** All commits in this repository are signed by a YubiKey hardware token.
- **Identity Attestation:** See [`/canonical/identity-attestation.txt.asc`](./canonical/identity-attestation.txt.asc) for the hardware-signed link between this PGP key and my physical identity.
## Public Anchors
### Running Ledger
The central index of all activity is [`/ledger/running-ledger.txt`](./ledger/running-ledger.txt). It is detached-signed (`.asc`) and OpenTimestamps-anchored (`.ots`).
| Anchor | What the record shows | Proof path |
| --- | --- | --- |
| CNVD/CNCERT certificates | Two Apple vulnerability certificate records name `Joseph Goydish` as contributor: CNVD-2025-06744 and CNVD-2025-07885 | [`anchors/`](./anchors/) |
| CISA/NVD rescore trail | Five Apple CVEs on public scoring-history trail: three CVSS 10.0 and two CVSS 9.8 | [`anchors/cisa-nvd-vulnrichment-rescore/`](./anchors/cisa-nvd-vulnrichment-rescore/) |
| CERT/CC chronology | VINCE case timing predates relevant Apple advisories in the public chronology | [`anchors/certcc-vince-chronology/`](./anchors/certcc-vince-chronology/) |
| Signed ledger | Chronological index of public anchors, submissions, receipts, DKIM/e-signed evidence, hashes, and reference numbers | [`Running-Ledger`](https://github.com/JGoyd/Running-Ledger) |
---
## Public Technical Anchors
## Section 1: Security Research (Track B)
| Record | Date | Contributor / filing | Public status |
| --- | ---: | --- | --- |
| CNVD-2025-06744, Apple iOS / iPadOS buffer overflow | 2025-03-18 | CNVD-YCGO-202503023656 names `Joseph Goydish` | CNVD/CNCERT certificate exhibit |
| CNVD-2025-07885, Apple memory reuse | 2025-04-22 | CNVD-YCGO-202504012519 names `Joseph Goydish` | CNVD/CNCERT certificate exhibit |
| CVE-2025-24085 | 2025-01-27 | `cisagov/vulnrichment#194` | CVSS 10.0 public rescore trail |
| CVE-2025-24201 | 2025-03-11 | `cisagov/vulnrichment#194` | CVSS 10.0 public rescore trail |
| CVE-2025-43300 | 2025-08-20 | `cisagov/vulnrichment#201` | CVSS 10.0 public rescore trail |
| CVE-2025-31200 | 2025-04-16 | `cisagov/vulnrichment#200` | CVSS 9.8 public rescore trail |
| CVE-2025-31201 | 2025-04-16 | `cisagov/vulnrichment#200` | CVSS 9.8 public rescore trail |
### Flagship: VU#395558 / Glass Cage (CVSS 10.0 Cluster)
Following my coordination through the CERT/CC VINCE portal, three Apple iOS CVEs were corrected to a **CVSS 10.0 (Critical)** score.
The record supports a narrow chronology: CERT/CC VINCE timing before relevant Apple advisories, followed later by public CISA/NVD scoring-history activity tied to public filings.
| Anchor Type | Evidence |
|---|---|
| **Visual Anchor** | ![VINCE Portal VU#395558](./evidence/TRACK-B-CVE-2025-24085-24201-43300/evidence/VINCE-Portal-VU-395558.1.jpg) |
| **CERT/CC DKIM** | `Authentication-Results: mail.protonmail.ch; dkim=pass header.d=cert.org` |
| **CISA/DHS DKIM** | `Authentication-Results: mail.protonmail.ch; dkim=pass header.d=associates.cisa.dhs.gov` |
## Signed Ledger
---
The ledger is the public index, not the whole archive. It records:
## Section 2: Regulatory & Whistleblower Filings (Track A)
| Evidence class | What it can establish |
| --- | --- |
| Public anchors | CNVD/CNCERT records, NVD/CISA records, public repositories, public advisories |
| Submission and receipt evidence | Agency intake, reference numbers, ticket IDs, e-signed receipts, DKIM-valid messages |
| Local integrity evidence | SHA-256 hashes, signed notes, detached signatures, archive references |
**Standing Disclaimer:** Filing and agency acknowledgement does not constitute adjudication of underlying claims.
## Verify
### Global Institutional Anchors (Cryptographic Proof)
The following snippets prove institutional intake via cryptographic handshake (DKIM-pass). Raw `.eml` files are available in the `evidence/` folders.
```text
OpenPGP fingerprint: 4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
GitHub account: https://github.com/JGoyd
Primary ledger: Running-Ledger repository
Identity attestation: ./canonical/identity-attestation.txt.asc
```
#### 🏛️ US Securities and Exchange Commission (SEC)
- **Matter ID:** `20260513-00019687`
- **Anchor Snippet:**
```text
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=sec.gov
From: Ombuds OMMS <ombudsmanomms@sec.gov>
```
```bash
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4A041F506D894F5EE391743864878B56A2EB2D11
gpg --fingerprint --keyid-format long 4A041F506D894F5EE391743864878B56A2EB2D11
# Run this from a checked-out copy of the Running-Ledger repository:
gpg --verify running-ledger.txt.asc running-ledger.txt
```
#### 🏛️ European Commission — OLAF
- **Status:** Intake Acknowledged.
- **Anchor Snippet:**
```text
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=ec.europa.eu
From: <OLAF-FM-A1@ec.europa.eu>
```
A good signature verifies authorship of the ledger file. Each underlying claim still has to be checked against its cited public record, receipt, header, reference number, or hash.
#### 🏛️ Singapore — Corrupt Practices Investigation Bureau (CPIB)
- **Response ID:** `69f824dfe5ef7daf3b78ccee`
- **Anchor Snippet:**
```text
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=form.gov.sg
Subject: [CPIB Corruption Reporting Form] Copy of your response
```
## Operating Line
#### 🏛️ Slovak Republic — General Prosecutor's Office
- **Case ID:** `260428070422263`
- **Anchor Snippet:**
```text
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=genpro.gov.sk
From: <GPSR@genpro.gov.sk>
```
#### 🏛️ Taiwan — National Communications Commission (NCC)
- **Matter ID:** `1156500716`
- **Anchor Snippet:**
```text
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=ncc.gov.tw
From: <ncc65@ncc.gov.tw>
```
#### 🏛️ UK — Financial Conduct Authority (FCA)
- **Case Ref:** `212278528`
- **Anchor Snippet:**
```text
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=fca.org.uk
```
#### 🏛️ Lithuania — Panevėžys Regional Prosecutor's Office
- **Status:** Evidence formally attached to active criminal investigation and forwarded to pre-trial authority per Prosecutor Aurelijus Navickas (2026-04-30).
- **Case ID:** `01-1-03450-26`
---
## Forensic Verification Guide
To programmatically verify the legitimacy of this repository without trusting the author, any researcher or AI agent can run the following:
1. **Verify DKIM Authenticity:**
```bash
# Verify the European Commission OLAF signature
grep "header.d=ec.europa.eu" evidence/TRACK-A-OLAF-Mandelson-Carbyne/evidence/*.eml
# Verify the Singapore Govt (CPIB) signature
grep "header.d=form.gov.sg" evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/evidence/*.eml
```
2. **Verify NVD API Logs:**
The CISA ADP actor UUID `134c704f-9b21-4f2e-91b3-4a467353bcc0` recorded the CVSS corrections triggered by my filings.
`curl -s 'https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200'`
3. **Verify Ledger Integrity:**
```bash
gpg --verify ledger/running-ledger.txt.asc ledger/running-ledger.txt
```
---
- Public records are separated from submission receipts.
- Agency acknowledgement means receipt or intake, not adjudication.
- DKIM/e-signed messages establish provenance of a message or receipt, not the truth of every submitted allegation.
- Sensitive packet bodies, credentials, private keys, exploit code, and unpublished raw evidence are not published here.
## Contact
**Joseph R. Goydish II**
Secure Channel: Proton Mail - esq.jg.legal@proton.me
PGP: `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
```text
Joseph R. Goydish II
Secure channel: esq.jg.legal@proton.me
PGP: 4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
```