Joseph R. Goydish II
6.3 KiB
Phase 2 — Flagship Case Selection
Selection criteria (from the brief): most external anchors already visible, confirmation email available, defensible role statement, strongest credibility signal on a name lookup.
Track B — Flagship #1 (strongest in dataset)
CVE-2025-31200 / CVE-2025-31201 — CoreAudio decode RCE + RPAC bypass chain
Why this is the flagship. A single CISA Authorized Data Publisher (ADP) write to NVD at 2025-11-24T15:15:47.917Z simultaneously:
- removed the prior CVSS v3.1 vector,
- added the new CVSS v3.1 vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H→ base 9.8, - added a Reference to
https://github.com/cisagov/vulnrichment/issues/200(your issue), - added a Reference to
https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/blob/main/Remote%20Crypto%20Attack%20Chain%20.md(your repo).
That ADP source UUID is 134c704f-9b21-4f2e-91b3-4a467353bcc0 — CISA, not you. The action is logged by NVD, not you. The vulnrichment issue #200 is closed by CISA on 2025-11-24T14:46:17Z, ~30 minutes before the rescore. That timing chain is independently reconstructible by any third party via the NVD CVE History API and the public GitHub issue timeline.
Honest role statement. "Contributed to CISA ADP CVSS impact reassessment for CVE-2025-31200 and CVE-2025-31201 via cisagov/vulnrichment issue #200. The CISA ADP referenced the JGoyd research repository as a third-party advisory and the GitHub issue as issue-tracking on the NVD records. Original vulnerability discovery is credited by Apple to another reporter."
Do not claim. Original discovery. Apple-acknowledged finder. Exploit author.
External anchors (all third-party-controlled):
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2025-31200
- NVD CVE History API: https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200
- CISA vulnrichment issue: https://github.com/cisagov/vulnrichment/issues/200
- Apple advisory: https://support.apple.com/en-us/122282
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31200
Confirmation-email artifacts to publish (if held):
- Vendor (Apple Product Security) acknowledgement, if any, of the analysis material you sent →
.eml - CERT/CC VINCE or VRF acknowledgement for the chain analysis →
.eml - (CISA does not typically send DKIM-confirming emails for vulnrichment issue closures; the GitHub issue audit log + NVD API serve that role.)
Track B — Flagship #2 (secondary)
CVE-2025-24085 / CVE-2025-24201 — Glass Cage iOS 18 chain (CoreMedia UAF + WebKit OOB write)
Why this is the second flagship. Same ADP-pattern as Flagship #1 but slightly weaker because:
- The ADP rescore (2025-11-12) added the CVSS to 10.0 and added vulnrichment#194 as Issue-Tracking,
- but the JGoyd repo
Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201is referenced under the genericaf854a3a-…NVD source ID, not directly under the CISA ADP UUID. Still externally anchored, just by NVD's generic ingest rather than by ADP atomic write.
Honest role statement. "Submitted CVSS impact-reassessment request via cisagov/vulnrichment issue #194. CISA ADP raised the CVSS to 10.0 within 24 hours of issue closure. The JGoyd Glass Cage research repository is listed on the NVD record as a Third-Party Advisory."
External anchors:
- NVD records (×2), vulnrichment#194, Apple advisories, CISA KEV.
Track A — Flagship (strongest "agency-controlled anchor" candidate)
A-09 — Lithuania, Panevėžio OTNK skyrius — Pre-trial investigation 01-1-03450-26 (with A-08 Slovakia as a fallback if the Lithuania receipt PDF is not e-signed)
Why this is the Track-A flagship. This is the closest to the task description's literal example ("agency PGP-signed / electronically-signed confirmation that submission was added to criminal case file #01-1-03450-26"). Three structural strengths:
- A specific, numbered, pre-trial criminal investigation file —
01-1-03450-26— opened by a sovereign prosecutor's office. The case-file number is itself the anchor; if a journalist asks Panevėžys Regional Prosecutor's Office whether file01-1-03450-26exists and whether your IBPS document numberIBPS-S-248320-26is registered, they get a yes/no answer from the agency, independent of you. - The Lithuanian IBPS (Integruota baudžiamojo proceso sistema) issues machine-signed receipts — these are PAdES/CAdES-signed PDFs verifiable in any PDF signature validator without trusting you.
- No public adjudication exists yet — so the framing is honest: filed, accepted into a case file, not an adjudication of the underlying allegations. That is exactly the disclaimer the brief requires.
Honest role statement. "On 2026-04-30, I submitted material to the Panevėžys Regional Prosecutor's Office, Organized Crime and Corruption Investigation Division (Panevėžio OTNK skyrius). The office's IBPS system issued document registration number IBPS-S-248320-26, and the material was added to pre-trial criminal investigation file 01-1-03450-26. Filing and acceptance into a pre-trial investigation file is not an adjudication of the underlying claims."
Backup (Slovakia, A-08). If for any reason the Lithuania receipt cannot be safely redacted-and-published (e.g., it contains witness identifiers), publish Slovakia instead: genpro.gov.sk tracking 260428070422263 with the PAdES-signed "Potvrdenka po úplnom overení" receipt PDF.
OLAF (A-04) is not the flagship, despite the BBC/Reuters coverage, because the publicly confirmed OLAF investigation predates the user's submission and therefore the user cannot be claimed as cause. It is still an excellent secondary anchor.
What gets built first as a publication-ready proof package
/evidence/TRACK-B-CVE-2025-31200-CVE-2025-31201/— built around the NVD CVE-History atomic write as the primary anchor; the vendor/CERT acknowledgement email (if held) becomes the secondary cryptographic artifact./evidence/TRACK-A-LT-CASE-01-1-03450-26/— built around the IBPS-signed receipt PDF as the primary anchor; the prosecutor-office acknowledgement email (if held) becomes the secondary artifact.
Everything else stays in the ledger at PARTIAL or PENDING status until its own anchor is produced.