Joseph R. Goydish II
12 KiB
Joseph R. Goydish II
Independent security researcher and investigator. This page is the canonical
entry point for verifying any claim made under github.com/JGoyd. Every
section is designed so that a skeptical reader does not have to trust me —
they can verify each anchor through a third party.
Identity & key
- Name: Joseph R. Goydish II
- Canonical PGP fingerprint:
4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11 - Key locations:
- Identity attestation:
/canonical/identity-attestation.txt.asc— clearsigned by the canonical key, OpenTimestamps-anchored. - Cross-key attestation:
/canonical/key-cross-attestation.txt.asc— if two fingerprints have been in circulation, this file binds them.
Open disclosure. Two PGP fingerprints have appeared in my publications to date:
4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11(used byJGoyd/Running-Ledger) and6DCB 4235 1237 A98B B474 0070 B36F FC36 1AE5 DAF6(used byJGoyd/JGoyd/anchor.txt,anchor2.txt, andJGoyd/drops). One must be chosen as canonical; the other must be revoked or cross-signed. Until the cross-attestation file is published, verifiers should treat identity assertions in either chain as preliminary.
Disclosure policy
- All vulnerability research follows coordinated disclosure — no weaponized PoCs are published.
- All Track-A filings carry the disclaimer below.
- I do not represent any government, vendor, intelligence service, or intermediary.
Section 1 — Security research (Track B)
Headline: CISA ADP rescored 5 Apple iOS CVEs after my cisagov/vulnrichment filings, with my name and repo written into the NVD public change logs
Three CVEs scored to CVSS 10.0 (maximum); two CVEs scored to CVSS 9.8. Each rescore is anchored to a cisagov/vulnrichment GitHub issue opened by JGoyd, closed by a CISA maintainer, then followed by a CISA ADP write to the NVD CVE-History feed naming my issue (and, on the 31200/31201 pair, my research repository) as the trigger. Actor UUID on every ADP write: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (CISA ADP). All steps are verifiable from NVD's public REST API — no private trust required.
| CVE | Score | Filing | ADP write timestamp | Channel |
|---|---|---|---|---|
| CVE-2025-24085 | 10.0 (NVD Primary + ADP Secondary) | vulnrichment #194 | 2025-11-12 15:15:36 UTC (ADP), 2025-11-14 13:52:51 UTC (Primary) | CERT/CC VINCE case VU#395558 |
| CVE-2025-24201 | 10.0 (NVD Primary + ADP Secondary) | vulnrichment #194 | 2025-11-12 15:15:36 UTC (ADP), 2025-11-14 (Primary) | CERT/CC VINCE case VU#395558 |
| CVE-2025-43300 | 10.0 (ADP Secondary) | vulnrichment #201 | NVD CVE-History | CERT/CC VINCE case VU#395558 |
| CVE-2025-31200 | 9.8 (ADP Secondary) | vulnrichment #200 | 2025-11-24 15:15:47.917 UTC | CERT/CC VINCE case VRF#25-01-MPVDT / gen-41698 |
| CVE-2025-31201 | 9.8 (ADP Secondary) | vulnrichment #200 | 2025-11-24 | CERT/CC VINCE case VRF#25-01-MPVDT / gen-41698 |
The two VINCE cases are independent: VU#395558 (Glass Cage chain, 10.0 cluster) and VRF#25-01-MPVDT / gen-41698 (April 16 patch pair, 9.8 cluster). Both went through CERT/CC's single coordination portal (kb.cert.org/vince); the distinguishing key is the case identifier, not the channel.
For the 31200/31201 atomic write, NVD CVE-History captures five simultaneous changes: new 9.8 CVSS vector, new CWE-119, new reference to vulnrichment #200, new reference to github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201, and the ADP actor UUID. All five are visible at https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200.
Case Table
| CVE / Case | My role (precise) | External anchor | Evidence | Status |
|---|---|---|---|---|
| CVE-2025-31200 | CISA ADP CVSS-reassessment contributor via vulnrichment #200; ADP write referenced my repo on NVD | NVD record · CVE-History API | evidence/TRACK-B-CVE-2025-31200-31201/ | VERIFIED |
| CVE-2025-31201 | CISA ADP CVSS-reassessment contributor via vulnrichment #200 | NVD record | evidence/TRACK-B-CVE-2025-31200-31201/ | VERIFIED |
| CVE-2025-24085 | CISA ADP CVSS-reassessment contributor via vulnrichment #194; rescored to 10.0 | NVD record · CVE-History API | evidence/TRACK-B-CVE-2025-24085-24201-43300/ | VERIFIED |
| CVE-2025-24201 | CISA ADP CVSS-reassessment contributor via vulnrichment #194; rescored to 10.0 | NVD record | evidence/TRACK-B-CVE-2025-24085-24201-43300/ | VERIFIED |
| CVE-2025-43300 | Chain-context contributor via vulnrichment #201; ADP Secondary 10.0 | NVD record | evidence/TRACK-B-CVE-2025-24085-24201-43300/ | VERIFIED |
| MSRC-112639 | Reporter (M365 cross-tenant MIME type-confusion); CVE assignment pending | (MSRC portal — confidential until vendor advisory) | evidence/TRACK-B-MSRC-112639/ | PENDING |
| CNVD-2025-06744 | Contributor (贡献者) on CNCERT/CNVD original-vulnerability certificate CNVD-YCGO-202503023656 (Apple iOS/iPadOS buffer overflow); issuing-body PDF staged |
CNVD listing | evidence/TRACK-B-CNVD-2025-06744/ | PROVISIONAL |
| CNVD-2025-07885 | Contributor (贡献者) on CNCERT/CNVD original-vulnerability certificate CNVD-YCGO-202504012519 (Apple multi-product use-after-free); issuing-body PDF staged |
CNVD listing | evidence/TRACK-B-CNVD-2025-07885/ | PROVISIONAL |
| NASA/JPL TLS misconfig | Discloser | (NASA/JPL acknowledgement) | evidence/TRACK-B-NASA-JPL-TLS/ | UNVERIFIED |
| DOE-417 (5941450-1585693) | Filer | (DOE EOC reply) | evidence/TRACK-B-DOE-417/ | PENDING |
FBI IC3 (067b3177…) |
Filer | (IC3 confirmation) | evidence/TRACK-B-IC3-067b3177c3524c80bce02cca08064d11/ | UNVERIFIED |
Research repositories listed by NVD
NVD's CVE references include the following JGoyd-controlled repos as Third-Party Advisories. These are agency-controlled placements — I did not add the references myself:
github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201— referenced under CVE-2025-24085 and CVE-2025-24201.github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201— referenced under CVE-2025-31200 and CVE-2025-31201.
Other repositories — important framing
I maintain a number of research repos describing iOS/macOS behavioral
observations, hardware findings, and analytical reconstructions (e.g.
Project-Eclipse, NeuralNet, ams-failopen, A18-AON_Design,
Apple-Silicon-A17-Flaw, iOS-26.2-runningboard-vuln,
iCloud-PCS-Corruption). These are forensic observations and analysis,
not vendor-confirmed findings, and have no NVD CVE / vendor advisory
attribution to me. They are presented as analytical work and should be read
as such.
Section 2 — Regulatory and whistleblower filings (Track A)
Standing disclaimer: Filing and agency acknowledgement does not constitute adjudication of the underlying claims. Each entry below establishes only that material I submitted was acknowledged by the receiving authority.
| Agency | Filing type | Date | Case / reference | External anchor | Evidence | Status |
|---|---|---|---|---|---|---|
| Lithuania — Panevėžio OTNK skyrius | Pre-trial investigation submission | 2026-04-30 | 01-1-03450-26 (case); IBPS-S-248320-26 (doc reg.) |
(IBPS e-signed receipt — eIDAS PAdES) | evidence/TRACK-A-LT-CASE-01-1-03450-26/ | PENDING |
| Slovak Republic — Generálna prokuratúra | Verified electronic submission | 2026-04-28 | 260428070422263 |
(e-signed receipt — eIDAS PAdES) | evidence/TRACK-A-SK-260428070422263/ | PENDING |
| European Commission — OLAF | Supplemental disclosure | 2026-05-04 | 00Db00K8yP.!500Sk019RuGn |
BBC: OLAF opens Mandelson investigation — parallel public investigation | evidence/TRACK-A-OLAF-Ref-00Db00K8yP/ | PARTIAL |
| Taiwan — NCC | Complaint forwarded | 2026-03-24 | 通傳基礎決字第11500091980號 |
(NCC decision letter) | evidence/TRACK-A-TW-NCC-11500091980/ | PENDING |
| SEC — TCR Office | TCR submission | 2026-05-06 | 17780-976-067-126 |
(SEC TCR acknowledgement) | evidence/TRACK-A-SEC-TCR-17780-976-067-126/ | PENDING |
| UK — FCA | Bank of China (UK) advisory | 2026-05-11 | 212278528 |
(FCA acknowledgement) | evidence/TRACK-A-FCA-212278528/ | UNVERIFIED |
| Singapore — CPIB | Corruption Reporting Form | 2026-05-04 | 69f824dfe5ef7daf3b78ccee |
(CPIB acknowledgement) | evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/ | UNVERIFIED |
| IRS — Whistleblower Office | Form 211 (IRC §7623(b)) | 2026-05-06 | (claim # pending paper letter) | (IRS WBO acknowledgement) | evidence/TRACK-A-IRS-FORM-211/ | UNVERIFIED |
| DOJ — FARA Unit | Public disclosure | 2026-05-05 | (FARA Unit intake ref) | (FARA Unit acknowledgement) | evidence/TRACK-A-DOJ-FARA-Public/ | UNVERIFIED |
| Japan — ISA | ICRRA Art. 70-1 referral | 2026-05-13 | (ISA intake ref) | (ISA acknowledgement) | evidence/TRACK-A-Japan-ISA-ICRRA70-1/ | UNVERIFIED |
| Massachusetts AGO | MIT Media Lab complaint | 2026-05-05 | (AGO intake ref) | (AGO acknowledgement) | evidence/TRACK-A-MA-AGO-MIT-MediaLab/ | UNVERIFIED |
Section 3 — What I am NOT claiming
- I do not claim to be the original discoverer of any of the five Apple CVEs listed above. Apple's own advisories credit the original reporters; my contribution is the impact-reassessment and chain-analysis filings to CISA ADP, as documented in the linked NVD CVE-History entries.
- I do not claim that agency receipt of a Track-A filing constitutes a finding against any person or organization. Filing and acknowledgement are clerical events.
- I do not claim association with, employment by, or representation of any government, intelligence service, vendor, or law-enforcement agency.
- I do not claim that any repository I maintain is a vendor advisory unless NVD or the vendor itself has linked it as such (currently: the two CVE research repos noted in Section 1).
- I do not claim that observations in repositories without external anchors are confirmed vulnerabilities. They are analytical observations.
Section 4 — Contact
- Journalists and investigators: [contact channel — Proton Mail; encrypted preferred]
- Vendors (coordinated disclosure): [vendor contact channel]
- Legal: [counsel contact, if applicable]
Verify any reply from me by checking the PGP signature against the canonical fingerprint published at the top of this page.