mirror of
https://github.com/JGoyd/JGoyd.git
synced 2026-07-10 07:28:38 +02:00
Publish canonical activity front page
This commit is contained in:
@@ -1,126 +1,77 @@
|
||||
# "For the Record"
|
||||
# Joseph R. Goydish II
|
||||
|
||||
This repository serves as the canonical, cryptographically anchored ledger of my security research (Track B) and regulatory/whistleblower disclosures (Track A).
|
||||
Public-interest technical record, evidence preservation, and signed activity ledger.
|
||||
|
||||
This system is built on an **Active Forensic** architecture. I do not ask for trust; I provide the third-party cryptographic and institutional anchors required for independent verification.
|
||||
This profile indexes public records, signed ledger entries, submissions, receipts, hashes, and supporting artifacts that can be checked independently. The strongest current anchors are two CNVD/CNCERT certificate exhibits naming `Joseph Goydish` as contributor for Apple vulnerability records, plus a five-CVE CISA/NVD rescore trail tied to public vulnrichment filings.
|
||||
|
||||
## Core Metrics
|
||||
- **Total Cases:** 27
|
||||
- **Verifiable Timeline Events:** 187
|
||||
- **High-Impact CVE Rescores:** 5 (3× CVSS 10.0, 2× CVSS 9.8)
|
||||
- **Institutional Jurisdictions:** 12
|
||||
- **Cryptographic Root:** PGP Fingerprint `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
|
||||
## Canonical Record
|
||||
|
||||
---
|
||||
For the visual front page, open [`index.html`](./index.html). If GitHub Pages is enabled for this repository, that file is the browser landing page for the canonical activity record.
|
||||
|
||||
## 🛡️ Identity & Verification
|
||||
The full chronological record remains in [`Running-Ledger`](https://github.com/JGoyd/Running-Ledger): submissions, receipts, DKIM/e-signed evidence, reference numbers, packet hashes, and signed ledger entries.
|
||||
|
||||
### PGP Public Key
|
||||
- **Fingerprint:** `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
|
||||
- **Verification:** All commits in this repository are signed by a YubiKey hardware token.
|
||||
- **Identity Attestation:** See [`/canonical/identity-attestation.txt.asc`](./canonical/identity-attestation.txt.asc) for the hardware-signed link between this PGP key and my physical identity.
|
||||
## Public Anchors
|
||||
|
||||
### Running Ledger
|
||||
The central index of all activity is [`/ledger/running-ledger.txt`](./ledger/running-ledger.txt). It is detached-signed (`.asc`) and OpenTimestamps-anchored (`.ots`).
|
||||
| Anchor | What the record shows | Proof path |
|
||||
| --- | --- | --- |
|
||||
| CNVD/CNCERT certificates | Two Apple vulnerability certificate records name `Joseph Goydish` as contributor: CNVD-2025-06744 and CNVD-2025-07885 | [`anchors/`](./anchors/) |
|
||||
| CISA/NVD rescore trail | Five Apple CVEs on public scoring-history trail: three CVSS 10.0 and two CVSS 9.8 | [`anchors/cisa-nvd-vulnrichment-rescore/`](./anchors/cisa-nvd-vulnrichment-rescore/) |
|
||||
| CERT/CC chronology | VINCE case timing predates relevant Apple advisories in the public chronology | [`anchors/certcc-vince-chronology/`](./anchors/certcc-vince-chronology/) |
|
||||
| Signed ledger | Chronological index of public anchors, submissions, receipts, DKIM/e-signed evidence, hashes, and reference numbers | [`Running-Ledger`](https://github.com/JGoyd/Running-Ledger) |
|
||||
|
||||
---
|
||||
## Public Technical Anchors
|
||||
|
||||
## Section 1: Security Research (Track B)
|
||||
| Record | Date | Contributor / filing | Public status |
|
||||
| --- | ---: | --- | --- |
|
||||
| CNVD-2025-06744, Apple iOS / iPadOS buffer overflow | 2025-03-18 | CNVD-YCGO-202503023656 names `Joseph Goydish` | CNVD/CNCERT certificate exhibit |
|
||||
| CNVD-2025-07885, Apple memory reuse | 2025-04-22 | CNVD-YCGO-202504012519 names `Joseph Goydish` | CNVD/CNCERT certificate exhibit |
|
||||
| CVE-2025-24085 | 2025-01-27 | `cisagov/vulnrichment#194` | CVSS 10.0 public rescore trail |
|
||||
| CVE-2025-24201 | 2025-03-11 | `cisagov/vulnrichment#194` | CVSS 10.0 public rescore trail |
|
||||
| CVE-2025-43300 | 2025-08-20 | `cisagov/vulnrichment#201` | CVSS 10.0 public rescore trail |
|
||||
| CVE-2025-31200 | 2025-04-16 | `cisagov/vulnrichment#200` | CVSS 9.8 public rescore trail |
|
||||
| CVE-2025-31201 | 2025-04-16 | `cisagov/vulnrichment#200` | CVSS 9.8 public rescore trail |
|
||||
|
||||
### Flagship: VU#395558 / Glass Cage (CVSS 10.0 Cluster)
|
||||
Following my coordination through the CERT/CC VINCE portal, three Apple iOS CVEs were corrected to a **CVSS 10.0 (Critical)** score.
|
||||
The record supports a narrow chronology: CERT/CC VINCE timing before relevant Apple advisories, followed later by public CISA/NVD scoring-history activity tied to public filings.
|
||||
|
||||
| Anchor Type | Evidence |
|
||||
|---|---|
|
||||
| **Visual Anchor** |  |
|
||||
| **CERT/CC DKIM** | `Authentication-Results: mail.protonmail.ch; dkim=pass header.d=cert.org` |
|
||||
| **CISA/DHS DKIM** | `Authentication-Results: mail.protonmail.ch; dkim=pass header.d=associates.cisa.dhs.gov` |
|
||||
## Signed Ledger
|
||||
|
||||
---
|
||||
The ledger is the public index, not the whole archive. It records:
|
||||
|
||||
## Section 2: Regulatory & Whistleblower Filings (Track A)
|
||||
| Evidence class | What it can establish |
|
||||
| --- | --- |
|
||||
| Public anchors | CNVD/CNCERT records, NVD/CISA records, public repositories, public advisories |
|
||||
| Submission and receipt evidence | Agency intake, reference numbers, ticket IDs, e-signed receipts, DKIM-valid messages |
|
||||
| Local integrity evidence | SHA-256 hashes, signed notes, detached signatures, archive references |
|
||||
|
||||
**Standing Disclaimer:** Filing and agency acknowledgement does not constitute adjudication of underlying claims.
|
||||
## Verify
|
||||
|
||||
### Global Institutional Anchors (Cryptographic Proof)
|
||||
The following snippets prove institutional intake via cryptographic handshake (DKIM-pass). Raw `.eml` files are available in the `evidence/` folders.
|
||||
```text
|
||||
OpenPGP fingerprint: 4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
|
||||
GitHub account: https://github.com/JGoyd
|
||||
Primary ledger: Running-Ledger repository
|
||||
Identity attestation: ./canonical/identity-attestation.txt.asc
|
||||
```
|
||||
|
||||
#### 🏛️ US Securities and Exchange Commission (SEC)
|
||||
- **Matter ID:** `20260513-00019687`
|
||||
- **Anchor Snippet:**
|
||||
```text
|
||||
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=sec.gov
|
||||
From: Ombuds OMMS <ombudsmanomms@sec.gov>
|
||||
```
|
||||
```bash
|
||||
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4A041F506D894F5EE391743864878B56A2EB2D11
|
||||
gpg --fingerprint --keyid-format long 4A041F506D894F5EE391743864878B56A2EB2D11
|
||||
# Run this from a checked-out copy of the Running-Ledger repository:
|
||||
gpg --verify running-ledger.txt.asc running-ledger.txt
|
||||
```
|
||||
|
||||
#### 🏛️ European Commission — OLAF
|
||||
- **Status:** Intake Acknowledged.
|
||||
- **Anchor Snippet:**
|
||||
```text
|
||||
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=ec.europa.eu
|
||||
From: <OLAF-FM-A1@ec.europa.eu>
|
||||
```
|
||||
A good signature verifies authorship of the ledger file. Each underlying claim still has to be checked against its cited public record, receipt, header, reference number, or hash.
|
||||
|
||||
#### 🏛️ Singapore — Corrupt Practices Investigation Bureau (CPIB)
|
||||
- **Response ID:** `69f824dfe5ef7daf3b78ccee`
|
||||
- **Anchor Snippet:**
|
||||
```text
|
||||
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=form.gov.sg
|
||||
Subject: [CPIB Corruption Reporting Form] Copy of your response
|
||||
```
|
||||
## Operating Line
|
||||
|
||||
#### 🏛️ Slovak Republic — General Prosecutor's Office
|
||||
- **Case ID:** `260428070422263`
|
||||
- **Anchor Snippet:**
|
||||
```text
|
||||
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=genpro.gov.sk
|
||||
From: <GPSR@genpro.gov.sk>
|
||||
```
|
||||
|
||||
#### 🏛️ Taiwan — National Communications Commission (NCC)
|
||||
- **Matter ID:** `1156500716`
|
||||
- **Anchor Snippet:**
|
||||
```text
|
||||
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=ncc.gov.tw
|
||||
From: <ncc65@ncc.gov.tw>
|
||||
```
|
||||
|
||||
#### 🏛️ UK — Financial Conduct Authority (FCA)
|
||||
- **Case Ref:** `212278528`
|
||||
- **Anchor Snippet:**
|
||||
```text
|
||||
Authentication-Results: mail.protonmail.ch; dkim=pass (Good 2048 bit rsa-sha256 signature) header.d=fca.org.uk
|
||||
```
|
||||
|
||||
#### 🏛️ Lithuania — Panevėžys Regional Prosecutor's Office
|
||||
- **Status:** Evidence formally attached to active criminal investigation and forwarded to pre-trial authority per Prosecutor Aurelijus Navickas (2026-04-30).
|
||||
- **Case ID:** `01-1-03450-26`
|
||||
|
||||
---
|
||||
|
||||
## Forensic Verification Guide
|
||||
|
||||
To programmatically verify the legitimacy of this repository without trusting the author, any researcher or AI agent can run the following:
|
||||
|
||||
1. **Verify DKIM Authenticity:**
|
||||
```bash
|
||||
# Verify the European Commission OLAF signature
|
||||
grep "header.d=ec.europa.eu" evidence/TRACK-A-OLAF-Mandelson-Carbyne/evidence/*.eml
|
||||
|
||||
# Verify the Singapore Govt (CPIB) signature
|
||||
grep "header.d=form.gov.sg" evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/evidence/*.eml
|
||||
```
|
||||
2. **Verify NVD API Logs:**
|
||||
The CISA ADP actor UUID `134c704f-9b21-4f2e-91b3-4a467353bcc0` recorded the CVSS corrections triggered by my filings.
|
||||
`curl -s 'https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200'`
|
||||
3. **Verify Ledger Integrity:**
|
||||
```bash
|
||||
gpg --verify ledger/running-ledger.txt.asc ledger/running-ledger.txt
|
||||
```
|
||||
|
||||
---
|
||||
- Public records are separated from submission receipts.
|
||||
- Agency acknowledgement means receipt or intake, not adjudication.
|
||||
- DKIM/e-signed messages establish provenance of a message or receipt, not the truth of every submitted allegation.
|
||||
- Sensitive packet bodies, credentials, private keys, exploit code, and unpublished raw evidence are not published here.
|
||||
|
||||
## Contact
|
||||
**Joseph R. Goydish II**
|
||||
Secure Channel: Proton Mail - esq.jg.legal@proton.me
|
||||
PGP: `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
|
||||
|
||||
```text
|
||||
Joseph R. Goydish II
|
||||
Secure channel: esq.jg.legal@proton.me
|
||||
PGP: 4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user