# Joseph R. Goydish II Independent security researcher and investigator. This page is the canonical entry point for verifying any claim made under `github.com/JGoyd`. Every section is designed so that a skeptical reader does not have to trust me — they can verify each anchor through a third party. ## Identity & key - **Name:** Joseph R. Goydish II - **Canonical PGP fingerprint:** `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11` - **Key locations:** - https://keys.openpgp.org/search?q=4A041F506D894F5EE391743864878B56A2EB2D11 - https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x4A041F506D894F5EE391743864878B56A2EB2D11 - https://pgp.mit.edu/pks/lookup?op=get&search=0x4A041F506D894F5EE391743864878B56A2EB2D11 - **Identity attestation:** `/canonical/identity-attestation.txt.asc` — clearsigned by the canonical key, OpenTimestamps-anchored. - **Cross-key attestation:** `/canonical/key-cross-attestation.txt.asc` — if two fingerprints have been in circulation, this file binds them. > **Open disclosure.** Two PGP fingerprints have appeared in my publications > to date: `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11` (used by > `JGoyd/Running-Ledger`) and `6DCB 4235 1237 A98B B474 0070 B36F FC36 1AE5 > DAF6` (used by `JGoyd/JGoyd/anchor.txt`, `anchor2.txt`, and `JGoyd/drops`). > One must be chosen as canonical; the other must be revoked or cross-signed. > Until the cross-attestation file is published, verifiers should treat > identity assertions in either chain as preliminary. ## Disclosure policy - All vulnerability research follows coordinated disclosure — no weaponized PoCs are published. - All Track-A filings carry the disclaimer below. - I do not represent any government, vendor, intelligence service, or intermediary. --- ## Section 1 — Security research (Track B) ### Headline: CISA ADP rescored 5 Apple iOS CVEs after my `cisagov/vulnrichment` filings, with my name and repo written into the NVD public change logs **Three CVEs scored to CVSS 10.0 (maximum); two CVEs scored to CVSS 9.8.** Each rescore is anchored to a `cisagov/vulnrichment` GitHub issue opened by `JGoyd`, closed by a CISA maintainer, then followed by a CISA ADP write to the NVD CVE-History feed naming my issue (and, on the 31200/31201 pair, my research repository) as the trigger. Actor UUID on every ADP write: `134c704f-9b21-4f2e-91b3-4a467353bcc0` (CISA ADP). All steps are verifiable from NVD's public REST API — no private trust required. | CVE | Score | Filing | ADP write timestamp | Channel | |---|---|---|---|---| | CVE-2025-24085 | **10.0** (NVD Primary + ADP Secondary) | [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194) | 2025-11-12 15:15:36 UTC (ADP), 2025-11-14 13:52:51 UTC (Primary) | CERT/CC VINCE case VU#395558 | | CVE-2025-24201 | **10.0** (NVD Primary + ADP Secondary) | [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194) | 2025-11-12 15:15:36 UTC (ADP), 2025-11-14 (Primary) | CERT/CC VINCE case VU#395558 | | CVE-2025-43300 | **10.0** (ADP Secondary) | [vulnrichment #201](https://github.com/cisagov/vulnrichment/issues/201) | NVD CVE-History | CERT/CC VINCE case VU#395558 | | CVE-2025-31200 | **9.8** (ADP Secondary) | [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200) | 2025-11-24 15:15:47.917 UTC | CERT/CC VINCE case VRF#25-01-MPVDT / `gen-41698` | | CVE-2025-31201 | **9.8** (ADP Secondary) | [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200) | 2025-11-24 | CERT/CC VINCE case VRF#25-01-MPVDT / `gen-41698` | The two VINCE cases are independent: VU#395558 (Glass Cage chain, 10.0 cluster) and VRF#25-01-MPVDT / `gen-41698` (April 16 patch pair, 9.8 cluster). Both went through CERT/CC's single coordination portal (`kb.cert.org/vince`); the distinguishing key is the case identifier, not the channel. For the 31200/31201 atomic write, NVD CVE-History captures **five simultaneous changes**: new 9.8 CVSS vector, new CWE-119, new reference to vulnrichment #200, new reference to `github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201`, and the ADP actor UUID. All five are visible at `https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200`. ### Case Table | CVE / Case | My role (precise) | External anchor | Evidence | Status | |---|---|---|---|---| | CVE-2025-31200 | CISA ADP CVSS-reassessment contributor via [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200); ADP write referenced my repo on NVD | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-31200) · [CVE-History API](https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200) | [evidence/TRACK-B-CVE-2025-31200-31201/](../evidence/TRACK-B-CVE-2025-31200-31201/) | **VERIFIED** | | CVE-2025-31201 | CISA ADP CVSS-reassessment contributor via [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200) | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-31201) | [evidence/TRACK-B-CVE-2025-31200-31201/](../evidence/TRACK-B-CVE-2025-31200-31201/) | **VERIFIED** | | CVE-2025-24085 | CISA ADP CVSS-reassessment contributor via [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194); rescored to 10.0 | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-24085) · [CVE-History API](https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-24085) | [evidence/TRACK-B-CVE-2025-24085-24201-43300/](../evidence/TRACK-B-CVE-2025-24085-24201-43300/) | **VERIFIED** | | CVE-2025-24201 | CISA ADP CVSS-reassessment contributor via [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194); rescored to 10.0 | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-24201) | [evidence/TRACK-B-CVE-2025-24085-24201-43300/](../evidence/TRACK-B-CVE-2025-24085-24201-43300/) | **VERIFIED** | | CVE-2025-43300 | Chain-context contributor via [vulnrichment #201](https://github.com/cisagov/vulnrichment/issues/201); ADP Secondary 10.0 | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-43300) | [evidence/TRACK-B-CVE-2025-24085-24201-43300/](../evidence/TRACK-B-CVE-2025-24085-24201-43300/) | **VERIFIED** | | MSRC-112639 | Reporter (M365 cross-tenant MIME type-confusion); CVE assignment pending | (MSRC portal — confidential until vendor advisory) | [evidence/TRACK-B-MSRC-112639/](../evidence/TRACK-B-MSRC-112639/) | PENDING | | CNVD-2025-06744 | Contributor (贡献者) on CNCERT/CNVD original-vulnerability certificate `CNVD-YCGO-202503023656` (Apple iOS/iPadOS buffer overflow); issuing-body PDF staged | [CNVD listing](https://www.cnvd.org.cn/flaw/show/CNVD-2025-06744) | [evidence/TRACK-B-CNVD-2025-06744/](../evidence/TRACK-B-CNVD-2025-06744/) | **PROVISIONAL** | | CNVD-2025-07885 | Contributor (贡献者) on CNCERT/CNVD original-vulnerability certificate `CNVD-YCGO-202504012519` (Apple multi-product use-after-free); issuing-body PDF staged | [CNVD listing](https://www.cnvd.org.cn/flaw/show/CNVD-2025-07885) | [evidence/TRACK-B-CNVD-2025-07885/](../evidence/TRACK-B-CNVD-2025-07885/) | **PROVISIONAL** | | NASA/JPL TLS misconfig | Discloser | (NASA/JPL acknowledgement) | [evidence/TRACK-B-NASA-JPL-TLS/](../evidence/TRACK-B-NASA-JPL-TLS/) | UNVERIFIED | | DOE-417 (5941450-1585693) | Filer | (DOE EOC reply) | [evidence/TRACK-B-DOE-417/](../evidence/TRACK-B-DOE-417/) | PENDING | | FBI IC3 (`067b3177…`) | Filer | (IC3 confirmation) | [evidence/TRACK-B-IC3-067b3177c3524c80bce02cca08064d11/](../evidence/TRACK-B-IC3-067b3177c3524c80bce02cca08064d11/) | UNVERIFIED | ### Research repositories listed by NVD NVD's CVE references include the following JGoyd-controlled repos as Third-Party Advisories. These are agency-controlled placements — I did not add the references myself: - `github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201` — referenced under CVE-2025-24085 and CVE-2025-24201. - `github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201` — referenced under CVE-2025-31200 and CVE-2025-31201. ### Other repositories — important framing I maintain a number of research repos describing iOS/macOS behavioral observations, hardware findings, and analytical reconstructions (e.g. `Project-Eclipse`, `NeuralNet`, `ams-failopen`, `A18-AON_Design`, `Apple-Silicon-A17-Flaw`, `iOS-26.2-runningboard-vuln`, `iCloud-PCS-Corruption`). These are **forensic observations and analysis, not vendor-confirmed findings**, and have no NVD CVE / vendor advisory attribution to me. They are presented as analytical work and should be read as such. --- ## Section 2 — Regulatory and whistleblower filings (Track A) > **Standing disclaimer:** Filing and agency acknowledgement does not > constitute adjudication of the underlying claims. Each entry below > establishes only that material I submitted was acknowledged by the > receiving authority. | Agency | Filing type | Date | Case / reference | External anchor | Evidence | Status | |---|---|---|---|---|---|---| | Lithuania — Panevėžio OTNK skyrius | Pre-trial investigation submission | 2026-04-30 | `01-1-03450-26` (case); `IBPS-S-248320-26` (doc reg.) | (IBPS e-signed receipt — eIDAS PAdES) | [evidence/TRACK-A-LT-CASE-01-1-03450-26/](../evidence/TRACK-A-LT-CASE-01-1-03450-26/) | PENDING | | Slovak Republic — Generálna prokuratúra | Verified electronic submission | 2026-04-28 | `260428070422263` | (e-signed receipt — eIDAS PAdES) | [evidence/TRACK-A-SK-260428070422263/](../evidence/TRACK-A-SK-260428070422263/) | PENDING | | European Commission — OLAF | Supplemental disclosure | 2026-05-04 | `00Db00K8yP.!500Sk019RuGn` | [BBC: OLAF opens Mandelson investigation](https://www.bbc.com/news/articles/cj98zm22327o) — parallel public investigation | [evidence/TRACK-A-OLAF-Ref-00Db00K8yP/](../evidence/TRACK-A-OLAF-Ref-00Db00K8yP/) | PARTIAL | | Taiwan — NCC | Complaint forwarded | 2026-03-24 | `通傳基礎決字第11500091980號` | (NCC decision letter) | [evidence/TRACK-A-TW-NCC-11500091980/](../evidence/TRACK-A-TW-NCC-11500091980/) | PENDING | | SEC — TCR Office | TCR submission | 2026-05-06 | `17780-976-067-126` | (SEC TCR acknowledgement) | [evidence/TRACK-A-SEC-TCR-17780-976-067-126/](../evidence/TRACK-A-SEC-TCR-17780-976-067-126/) | PENDING | | UK — FCA | Bank of China (UK) advisory | 2026-05-11 | `212278528` | (FCA acknowledgement) | [evidence/TRACK-A-FCA-212278528/](../evidence/TRACK-A-FCA-212278528/) | UNVERIFIED | | Singapore — CPIB | Corruption Reporting Form | 2026-05-04 | `69f824dfe5ef7daf3b78ccee` | (CPIB acknowledgement) | [evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/](../evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/) | UNVERIFIED | | IRS — Whistleblower Office | Form 211 (IRC §7623(b)) | 2026-05-06 | (claim # pending paper letter) | (IRS WBO acknowledgement) | [evidence/TRACK-A-IRS-FORM-211/](../evidence/TRACK-A-IRS-FORM-211/) | UNVERIFIED | | DOJ — FARA Unit | Public disclosure | 2026-05-05 | (FARA Unit intake ref) | (FARA Unit acknowledgement) | [evidence/TRACK-A-DOJ-FARA-Public/](../evidence/TRACK-A-DOJ-FARA-Public/) | UNVERIFIED | | Japan — ISA | ICRRA Art. 70-1 referral | 2026-05-13 | (ISA intake ref) | (ISA acknowledgement) | [evidence/TRACK-A-Japan-ISA-ICRRA70-1/](../evidence/TRACK-A-Japan-ISA-ICRRA70-1/) | UNVERIFIED | | Massachusetts AGO | MIT Media Lab complaint | 2026-05-05 | (AGO intake ref) | (AGO acknowledgement) | [evidence/TRACK-A-MA-AGO-MIT-MediaLab/](../evidence/TRACK-A-MA-AGO-MIT-MediaLab/) | UNVERIFIED | --- ## Section 3 — What I am NOT claiming - I do not claim to be the original discoverer of any of the five Apple CVEs listed above. Apple's own advisories credit the original reporters; my contribution is the impact-reassessment and chain-analysis filings to CISA ADP, as documented in the linked NVD CVE-History entries. - I do not claim that agency receipt of a Track-A filing constitutes a finding against any person or organization. Filing and acknowledgement are clerical events. - I do not claim association with, employment by, or representation of any government, intelligence service, vendor, or law-enforcement agency. - I do not claim that any repository I maintain is a vendor advisory unless NVD or the vendor itself has linked it as such (currently: the two CVE research repos noted in Section 1). - I do not claim that observations in repositories without external anchors are confirmed vulnerabilities. They are analytical observations. --- ## Section 4 — Contact - **Journalists and investigators:** [contact channel — Proton Mail; encrypted preferred] - **Vendors (coordinated disclosure):** [vendor contact channel] - **Legal:** [counsel contact, if applicable] Verify any reply from me by checking the PGP signature against the canonical fingerprint published at the top of this page.