Dear Sirs,
I confirm receipt of your email.
On Oct 30th 2019 your client published two repositories of code on the public code sharing website Github. These materials were freely available for anyone to view clone fork or download from that date.
Thank you for making me aware that your client considers the data that they purposefully published on github in 2019 as private and confidential business information. I trust that they will be notifying the ICO of the data breach.
I have made no threats to your client as the schedule of emails shows. Any unattributed comments from third-parties are hear-say at best.
I made disclosures to your client in the interest of your client.
All details in the disclosures were gathered from openly accessible public URLs published by your client on the public internet.
I have already advised your client that I will destroy the repositories downloaded from a public web service and that I will provide a certificate of destruction.
I provide the following confirmations:
- I confirm that I will retain an encrypted copy of the materials as a record of my actions
- I will provide a certificate of destruction after 90days from the date of disclosure
- These timelines are common industry practice for security disclosures
- I confirm that I will not republish the the code repositories that your client published on the public internet
- I confirm that I created and shared security advisories with redacted / obfuscated content with your client
Sincerely,
Rob Dyke