CalvinBackup/JGoyd
1
0
Fork 0
mirror of https://github.com/JGoyd/JGoyd.git synced 2026-06-25 09:09:57 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
JGoyd/docs/PHASE-2_FLAGSHIP_SELECTION.md
T
Joseph R. Goydish II 4ed1ae48b1 JGoyd Public Evidence System: 187 Verifiable Events | 5 CVE Rescores | 27 Global 
Cases
2026-05-18 22:58:05 -07:00

73 lines
6.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Phase 2 — Flagship Case Selection
Selection criteria (from the brief): most external anchors already visible, confirmation email available, defensible role statement, strongest credibility signal on a name lookup.
## Track B — Flagship #1 (strongest in dataset)
### **CVE-2025-31200 / CVE-2025-31201 — CoreAudio decode RCE + RPAC bypass chain**
**Why this is the flagship.** A single CISA Authorized Data Publisher (ADP) write to NVD at `2025-11-24T15:15:47.917Z` simultaneously:
- removed the prior CVSS v3.1 vector,
- added the new CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` → base 9.8,
- added a Reference to `https://github.com/cisagov/vulnrichment/issues/200` (your issue),
- added a Reference to `https://github.com/JGoyd/iOS-Attack-Chain-CVE-2025-31200-CVE-2025-31201/blob/main/Remote%20Crypto%20Attack%20Chain%20.md` (your repo).
That ADP source UUID is `134c704f-9b21-4f2e-91b3-4a467353bcc0` — CISA, not you. The action is logged by NVD, not you. The vulnrichment issue `#200` is closed by CISA on `2025-11-24T14:46:17Z`, ~30 minutes before the rescore. That timing chain is independently reconstructible by any third party via the NVD CVE History API and the public GitHub issue timeline.
**Honest role statement.** "Contributed to CISA ADP CVSS impact reassessment for CVE-2025-31200 and CVE-2025-31201 via `cisagov/vulnrichment` issue #200. The CISA ADP referenced the JGoyd research repository as a third-party advisory and the GitHub issue as issue-tracking on the NVD records. Original vulnerability discovery is credited by Apple to another reporter."
**Do not claim.** Original discovery. Apple-acknowledged finder. Exploit author.
**External anchors (all third-party-controlled):**
- NVD CVE record: https://nvd.nist.gov/vuln/detail/CVE-2025-31200
- NVD CVE History API: https://services.nvd.nist.gov/rest/json/cvehistory/2.0?cveId=CVE-2025-31200
- CISA vulnrichment issue: https://github.com/cisagov/vulnrichment/issues/200
- Apple advisory: https://support.apple.com/en-us/122282
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31200
**Confirmation-email artifacts to publish (if held):**
- Vendor (Apple Product Security) acknowledgement, if any, of the analysis material you sent → `.eml`
- CERT/CC VINCE or VRF acknowledgement for the chain analysis → `.eml`
- (CISA does not typically send DKIM-confirming emails for vulnrichment issue closures; the GitHub issue audit log + NVD API serve that role.)
---
## Track B — Flagship #2 (secondary)
### **CVE-2025-24085 / CVE-2025-24201 — Glass Cage iOS 18 chain (CoreMedia UAF + WebKit OOB write)**
**Why this is the second flagship.** Same ADP-pattern as Flagship #1 but slightly weaker because:
- The ADP rescore (2025-11-12) added the CVSS to **10.0** and added vulnrichment#194 as Issue-Tracking,
- but the JGoyd repo `Glass-Cage-iOS18-CVE-2025-24085-CVE-2025-24201` is referenced under the generic `af854a3a-…` NVD source ID, not directly under the CISA ADP UUID. Still externally anchored, just by NVD's generic ingest rather than by ADP atomic write.
**Honest role statement.** "Submitted CVSS impact-reassessment request via `cisagov/vulnrichment` issue #194. CISA ADP raised the CVSS to 10.0 within 24 hours of issue closure. The JGoyd Glass Cage research repository is listed on the NVD record as a Third-Party Advisory."
**External anchors:**
- NVD records (×2), vulnrichment#194, Apple advisories, CISA KEV.
---
## Track A — Flagship (strongest "agency-controlled anchor" candidate)
### **A-09 — Lithuania, Panevėžio OTNK skyrius — Pre-trial investigation `01-1-03450-26`** (with **A-08 Slovakia** as a fallback if the Lithuania receipt PDF is not e-signed)
**Why this is the Track-A flagship.** This is the closest to the task description's literal example ("agency PGP-signed / electronically-signed confirmation that submission was added to criminal case file #01-1-03450-26"). Three structural strengths:
1. **A specific, numbered, pre-trial criminal investigation file**`01-1-03450-26` — opened by a sovereign prosecutor's office. The case-file number is itself the anchor; if a journalist asks Panevėžys Regional Prosecutor's Office whether file `01-1-03450-26` exists and whether your IBPS document number `IBPS-S-248320-26` is registered, they get a yes/no answer from the agency, independent of you.
2. **The Lithuanian IBPS (Integruota baudžiamojo proceso sistema) issues machine-signed receipts** — these are PAdES/CAdES-signed PDFs verifiable in any PDF signature validator without trusting you.
3. **No public adjudication exists yet** — so the framing is honest: filed, accepted into a case file, *not* an adjudication of the underlying allegations. That is exactly the disclaimer the brief requires.
**Honest role statement.** "On 2026-04-30, I submitted material to the Panevėžys Regional Prosecutor's Office, Organized Crime and Corruption Investigation Division (Panevėžio OTNK skyrius). The office's IBPS system issued document registration number `IBPS-S-248320-26`, and the material was added to pre-trial criminal investigation file `01-1-03450-26`. Filing and acceptance into a pre-trial investigation file is **not** an adjudication of the underlying claims."
**Backup (Slovakia, A-08).** If for any reason the Lithuania receipt cannot be safely redacted-and-published (e.g., it contains witness identifiers), publish Slovakia instead: `genpro.gov.sk` tracking `260428070422263` with the PAdES-signed "Potvrdenka po úplnom overení" receipt PDF.
**OLAF (A-04) is *not* the flagship**, despite the BBC/Reuters coverage, because the publicly confirmed OLAF investigation predates the user's submission and therefore the user cannot be claimed as cause. It is still an excellent secondary anchor.
---
## What gets built first as a publication-ready proof package
1. **`/evidence/TRACK-B-CVE-2025-31200-CVE-2025-31201/`** — built around the NVD CVE-History atomic write as the primary anchor; the vendor/CERT acknowledgement email (if held) becomes the secondary cryptographic artifact.
2. **`/evidence/TRACK-A-LT-CASE-01-1-03450-26/`** — built around the IBPS-signed receipt PDF as the primary anchor; the prosecutor-office acknowledgement email (if held) becomes the secondary artifact.
Everything else stays in the ledger at PARTIAL or PENDING status until its own anchor is produced.
Reference in New Issue View Git Blame Copy Permalink