mirror of
https://github.com/JGoyd/JGoyd.git
synced 2026-07-08 17:57:57 +02:00
4ed1ae48b1
Cases
143 lines
12 KiB
Markdown
143 lines
12 KiB
Markdown
# Joseph R. Goydish II
|
|
|
|
Independent security researcher and investigator. This page is the canonical
|
|
entry point for verifying any claim made under `github.com/JGoyd`. Every
|
|
section is designed so that a skeptical reader does not have to trust me —
|
|
they can verify each anchor through a third party.
|
|
|
|
## Identity & key
|
|
|
|
- **Name:** Joseph R. Goydish II
|
|
- **Canonical PGP fingerprint:** `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11`
|
|
- **Key locations:**
|
|
- https://keys.openpgp.org/search?q=4A041F506D894F5EE391743864878B56A2EB2D11
|
|
- https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x4A041F506D894F5EE391743864878B56A2EB2D11
|
|
- https://pgp.mit.edu/pks/lookup?op=get&search=0x4A041F506D894F5EE391743864878B56A2EB2D11
|
|
- **Identity attestation:** `/canonical/identity-attestation.txt.asc` — clearsigned by the canonical key, OpenTimestamps-anchored.
|
|
- **Cross-key attestation:** `/canonical/key-cross-attestation.txt.asc` — if two fingerprints have been in circulation, this file binds them.
|
|
|
|
> **Open disclosure.** Two PGP fingerprints have appeared in my publications
|
|
> to date: `4A04 1F50 6D89 4F5E E391 7438 6487 8B56 A2EB 2D11` (used by
|
|
> `JGoyd/Running-Ledger`) and `6DCB 4235 1237 A98B B474 0070 B36F FC36 1AE5
|
|
> DAF6` (used by `JGoyd/JGoyd/anchor.txt`, `anchor2.txt`, and `JGoyd/drops`).
|
|
> One must be chosen as canonical; the other must be revoked or cross-signed.
|
|
> Until the cross-attestation file is published, verifiers should treat
|
|
> identity assertions in either chain as preliminary.
|
|
|
|
## Disclosure policy
|
|
|
|
- All vulnerability research follows coordinated disclosure — no
|
|
weaponized PoCs are published.
|
|
- All Track-A filings carry the disclaimer below.
|
|
- I do not represent any government, vendor, intelligence service, or
|
|
intermediary.
|
|
|
|
---
|
|
|
|
## Section 1 — Security research (Track B)
|
|
|
|
### Headline: CISA ADP rescored 5 Apple iOS CVEs after my `cisagov/vulnrichment` filings, with my name and repo written into the NVD public change logs
|
|
|
|
**Three CVEs scored to CVSS 10.0 (maximum); two CVEs scored to CVSS 9.8.** Each rescore is anchored to a `cisagov/vulnrichment` GitHub issue opened by `JGoyd`, closed by a CISA maintainer, then followed by a CISA ADP write to the NVD CVE-History feed naming my issue (and, on the 31200/31201 pair, my research repository) as the trigger. Actor UUID on every ADP write: `134c704f-9b21-4f2e-91b3-4a467353bcc0` (CISA ADP). All steps are verifiable from NVD's public REST API — no private trust required.
|
|
|
|
| CVE | Score | Filing | ADP write timestamp | Channel |
|
|
|---|---|---|---|---|
|
|
| CVE-2025-24085 | **10.0** (NVD Primary + ADP Secondary) | [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194) | 2025-11-12 15:15:36 UTC (ADP), 2025-11-14 13:52:51 UTC (Primary) | CERT/CC VINCE case VU#395558 |
|
|
| CVE-2025-24201 | **10.0** (NVD Primary + ADP Secondary) | [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194) | 2025-11-12 15:15:36 UTC (ADP), 2025-11-14 (Primary) | CERT/CC VINCE case VU#395558 |
|
|
| CVE-2025-43300 | **10.0** (ADP Secondary) | [vulnrichment #201](https://github.com/cisagov/vulnrichment/issues/201) | NVD CVE-History | CERT/CC VINCE case VU#395558 |
|
|
| CVE-2025-31200 | **9.8** (ADP Secondary) | [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200) | 2025-11-24 15:15:47.917 UTC | CERT/CC VINCE case VRF#25-01-MPVDT / `gen-41698` |
|
|
| CVE-2025-31201 | **9.8** (ADP Secondary) | [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200) | 2025-11-24 | CERT/CC VINCE case VRF#25-01-MPVDT / `gen-41698` |
|
|
|
|
The two VINCE cases are independent: VU#395558 (Glass Cage chain, 10.0 cluster) and VRF#25-01-MPVDT / `gen-41698` (April 16 patch pair, 9.8 cluster). Both went through CERT/CC's single coordination portal (`kb.cert.org/vince`); the distinguishing key is the case identifier, not the channel.
|
|
|
|
For the 31200/31201 atomic write, NVD CVE-History captures **five simultaneous changes**: new 9.8 CVSS vector, new CWE-119, new reference to vulnrichment #200, new reference to `github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201`, and the ADP actor UUID. All five are visible at `https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200`.
|
|
|
|
### Case Table
|
|
|
|
| CVE / Case | My role (precise) | External anchor | Evidence | Status |
|
|
|---|---|---|---|---|
|
|
| CVE-2025-31200 | CISA ADP CVSS-reassessment contributor via [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200); ADP write referenced my repo on NVD | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-31200) · [CVE-History API](https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200) | [evidence/TRACK-B-CVE-2025-31200-31201/](../evidence/TRACK-B-CVE-2025-31200-31201/) | **VERIFIED** |
|
|
| CVE-2025-31201 | CISA ADP CVSS-reassessment contributor via [vulnrichment #200](https://github.com/cisagov/vulnrichment/issues/200) | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-31201) | [evidence/TRACK-B-CVE-2025-31200-31201/](../evidence/TRACK-B-CVE-2025-31200-31201/) | **VERIFIED** |
|
|
| CVE-2025-24085 | CISA ADP CVSS-reassessment contributor via [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194); rescored to 10.0 | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-24085) · [CVE-History API](https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-24085) | [evidence/TRACK-B-CVE-2025-24085-24201-43300/](../evidence/TRACK-B-CVE-2025-24085-24201-43300/) | **VERIFIED** |
|
|
| CVE-2025-24201 | CISA ADP CVSS-reassessment contributor via [vulnrichment #194](https://github.com/cisagov/vulnrichment/issues/194); rescored to 10.0 | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-24201) | [evidence/TRACK-B-CVE-2025-24085-24201-43300/](../evidence/TRACK-B-CVE-2025-24085-24201-43300/) | **VERIFIED** |
|
|
| CVE-2025-43300 | Chain-context contributor via [vulnrichment #201](https://github.com/cisagov/vulnrichment/issues/201); ADP Secondary 10.0 | [NVD record](https://nvd.nist.gov/vuln/detail/CVE-2025-43300) | [evidence/TRACK-B-CVE-2025-24085-24201-43300/](../evidence/TRACK-B-CVE-2025-24085-24201-43300/) | **VERIFIED** |
|
|
| MSRC-112639 | Reporter (M365 cross-tenant MIME type-confusion); CVE assignment pending | (MSRC portal — confidential until vendor advisory) | [evidence/TRACK-B-MSRC-112639/](../evidence/TRACK-B-MSRC-112639/) | PENDING |
|
|
| CNVD-2025-06744 | Contributor (贡献者) on CNCERT/CNVD original-vulnerability certificate `CNVD-YCGO-202503023656` (Apple iOS/iPadOS buffer overflow); issuing-body PDF staged | [CNVD listing](https://www.cnvd.org.cn/flaw/show/CNVD-2025-06744) | [evidence/TRACK-B-CNVD-2025-06744/](../evidence/TRACK-B-CNVD-2025-06744/) | **PROVISIONAL** |
|
|
| CNVD-2025-07885 | Contributor (贡献者) on CNCERT/CNVD original-vulnerability certificate `CNVD-YCGO-202504012519` (Apple multi-product use-after-free); issuing-body PDF staged | [CNVD listing](https://www.cnvd.org.cn/flaw/show/CNVD-2025-07885) | [evidence/TRACK-B-CNVD-2025-07885/](../evidence/TRACK-B-CNVD-2025-07885/) | **PROVISIONAL** |
|
|
| NASA/JPL TLS misconfig | Discloser | (NASA/JPL acknowledgement) | [evidence/TRACK-B-NASA-JPL-TLS/](../evidence/TRACK-B-NASA-JPL-TLS/) | UNVERIFIED |
|
|
| DOE-417 (5941450-1585693) | Filer | (DOE EOC reply) | [evidence/TRACK-B-DOE-417/](../evidence/TRACK-B-DOE-417/) | PENDING |
|
|
| FBI IC3 (`067b3177…`) | Filer | (IC3 confirmation) | [evidence/TRACK-B-IC3-067b3177c3524c80bce02cca08064d11/](../evidence/TRACK-B-IC3-067b3177c3524c80bce02cca08064d11/) | UNVERIFIED |
|
|
|
|
### Research repositories listed by NVD
|
|
|
|
NVD's CVE references include the following JGoyd-controlled repos as
|
|
Third-Party Advisories. These are agency-controlled placements — I did not
|
|
add the references myself:
|
|
|
|
- `github.com/JGoyd/Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201` — referenced under CVE-2025-24085 and CVE-2025-24201.
|
|
- `github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201` — referenced under CVE-2025-31200 and CVE-2025-31201.
|
|
|
|
### Other repositories — important framing
|
|
|
|
I maintain a number of research repos describing iOS/macOS behavioral
|
|
observations, hardware findings, and analytical reconstructions (e.g.
|
|
`Project-Eclipse`, `NeuralNet`, `ams-failopen`, `A18-AON_Design`,
|
|
`Apple-Silicon-A17-Flaw`, `iOS-26.2-runningboard-vuln`,
|
|
`iCloud-PCS-Corruption`). These are **forensic observations and analysis,
|
|
not vendor-confirmed findings**, and have no NVD CVE / vendor advisory
|
|
attribution to me. They are presented as analytical work and should be read
|
|
as such.
|
|
|
|
---
|
|
|
|
## Section 2 — Regulatory and whistleblower filings (Track A)
|
|
|
|
> **Standing disclaimer:** Filing and agency acknowledgement does not
|
|
> constitute adjudication of the underlying claims. Each entry below
|
|
> establishes only that material I submitted was acknowledged by the
|
|
> receiving authority.
|
|
|
|
| Agency | Filing type | Date | Case / reference | External anchor | Evidence | Status |
|
|
|---|---|---|---|---|---|---|
|
|
| Lithuania — Panevėžio OTNK skyrius | Pre-trial investigation submission | 2026-04-30 | `01-1-03450-26` (case); `IBPS-S-248320-26` (doc reg.) | (IBPS e-signed receipt — eIDAS PAdES) | [evidence/TRACK-A-LT-CASE-01-1-03450-26/](../evidence/TRACK-A-LT-CASE-01-1-03450-26/) | PENDING |
|
|
| Slovak Republic — Generálna prokuratúra | Verified electronic submission | 2026-04-28 | `260428070422263` | (e-signed receipt — eIDAS PAdES) | [evidence/TRACK-A-SK-260428070422263/](../evidence/TRACK-A-SK-260428070422263/) | PENDING |
|
|
| European Commission — OLAF | Supplemental disclosure | 2026-05-04 | `00Db00K8yP.!500Sk019RuGn` | [BBC: OLAF opens Mandelson investigation](https://www.bbc.com/news/articles/cj98zm22327o) — parallel public investigation | [evidence/TRACK-A-OLAF-Ref-00Db00K8yP/](../evidence/TRACK-A-OLAF-Ref-00Db00K8yP/) | PARTIAL |
|
|
| Taiwan — NCC | Complaint forwarded | 2026-03-24 | `通傳基礎決字第11500091980號` | (NCC decision letter) | [evidence/TRACK-A-TW-NCC-11500091980/](../evidence/TRACK-A-TW-NCC-11500091980/) | PENDING |
|
|
| SEC — TCR Office | TCR submission | 2026-05-06 | `17780-976-067-126` | (SEC TCR acknowledgement) | [evidence/TRACK-A-SEC-TCR-17780-976-067-126/](../evidence/TRACK-A-SEC-TCR-17780-976-067-126/) | PENDING |
|
|
| UK — FCA | Bank of China (UK) advisory | 2026-05-11 | `212278528` | (FCA acknowledgement) | [evidence/TRACK-A-FCA-212278528/](../evidence/TRACK-A-FCA-212278528/) | UNVERIFIED |
|
|
| Singapore — CPIB | Corruption Reporting Form | 2026-05-04 | `69f824dfe5ef7daf3b78ccee` | (CPIB acknowledgement) | [evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/](../evidence/TRACK-A-CPIB-69f824dfe5ef7daf3b78ccee/) | UNVERIFIED |
|
|
| IRS — Whistleblower Office | Form 211 (IRC §7623(b)) | 2026-05-06 | (claim # pending paper letter) | (IRS WBO acknowledgement) | [evidence/TRACK-A-IRS-FORM-211/](../evidence/TRACK-A-IRS-FORM-211/) | UNVERIFIED |
|
|
| DOJ — FARA Unit | Public disclosure | 2026-05-05 | (FARA Unit intake ref) | (FARA Unit acknowledgement) | [evidence/TRACK-A-DOJ-FARA-Public/](../evidence/TRACK-A-DOJ-FARA-Public/) | UNVERIFIED |
|
|
| Japan — ISA | ICRRA Art. 70-1 referral | 2026-05-13 | (ISA intake ref) | (ISA acknowledgement) | [evidence/TRACK-A-Japan-ISA-ICRRA70-1/](../evidence/TRACK-A-Japan-ISA-ICRRA70-1/) | UNVERIFIED |
|
|
| Massachusetts AGO | MIT Media Lab complaint | 2026-05-05 | (AGO intake ref) | (AGO acknowledgement) | [evidence/TRACK-A-MA-AGO-MIT-MediaLab/](../evidence/TRACK-A-MA-AGO-MIT-MediaLab/) | UNVERIFIED |
|
|
|
|
---
|
|
|
|
## Section 3 — What I am NOT claiming
|
|
|
|
- I do not claim to be the original discoverer of any of the five Apple CVEs
|
|
listed above. Apple's own advisories credit the original reporters; my
|
|
contribution is the impact-reassessment and chain-analysis filings to CISA
|
|
ADP, as documented in the linked NVD CVE-History entries.
|
|
- I do not claim that agency receipt of a Track-A filing constitutes a
|
|
finding against any person or organization. Filing and acknowledgement
|
|
are clerical events.
|
|
- I do not claim association with, employment by, or representation of any
|
|
government, intelligence service, vendor, or law-enforcement agency.
|
|
- I do not claim that any repository I maintain is a vendor advisory unless
|
|
NVD or the vendor itself has linked it as such (currently: the two CVE
|
|
research repos noted in Section 1).
|
|
- I do not claim that observations in repositories without external
|
|
anchors are confirmed vulnerabilities. They are analytical observations.
|
|
|
|
---
|
|
|
|
## Section 4 — Contact
|
|
|
|
- **Journalists and investigators:** [contact channel — Proton Mail; encrypted preferred]
|
|
- **Vendors (coordinated disclosure):** [vendor contact channel]
|
|
- **Legal:** [counsel contact, if applicable]
|
|
|
|
Verify any reply from me by checking the PGP signature against the canonical
|
|
fingerprint published at the top of this page.
|