Here are the highlights.


28/Feb - Discovery

Discovered two public repos on GitHub. Wrote up research to send to Apperta.

1/Mar - First disclosure

First disclosure sent to Apperta. Received a Thank You by email.

2/Mar - Second disclosure

Second disclosure sent to Apperta. Received a Thank You by email.

8/Mar - First email from Apperta's solicitor

Received a letter from Apperta's solicitor. I reply offering requested confirmations with revisions.

9/Mar - Second email from Apperta's solicitor

Second letter from Apperta's solicitor. My offered confirmations were unacceptable.

9/Mar - Third email from Apperta's solicitor

Another letter from Apperta's solicitor

9/Mar - Need some help

Called out on Twitter to find a cyber-savvy lawyer and started GoFundMe.

10/Mar - Twitter family

Wowza. Thank you Twitter family for your support on this. Just got off phone having instructed law firm to act for me. Holding letter being date out to complainant today. Aiming to get a substantive response out to them on Friday. Probably about 3k+vat. Humbled by generosity, strengthened by numbers. Onwards! Insert penguin gif here.

11/Mar - GFM Thank you

Thank you. Each and every one of you. Legals covered. Crossed fingers. Remaining funds to CodeYourFuture

12/Mar - Substantive response sent to Apperta's solicitor

Substantive response sent to Apperta's solicitor. 32 points over 5 pages.

13/Mar - Clarifications provided by email to Apperta.

In email sent Mon, 8 Mar, 15:44
- I confirmed that I no longer have a copy clone or fork of the publicly available
- I confirm that I have not and will not publish the data your clients made available on a public website or had published on a public URL.

15/Mar - determined to “shoot the messenger”

Correspondence from other side late Friday and over the weekend. It appears they are determined to “shoot the messenger”, threatening and criticising me for flagging a problem to them. This is not an attractive or reasonable approach. I have already agreed, through lawyer, to give the undertakings set out in the substantive letter and have provided additional information and assurances to them. Today Legal team have written to the other side inviting them confirm that they will now withdraws its threat of civil proceedings against me and the serious allegation of committing a criminal offence.

15/Mar - Statement of Trust

A Statement of Trust is requested. I'm in the last chance saloon.

15/Mar - I'm now being asked to provide a signed witness statement

18/Mar - Confirmation of Facts

I offer to sign a Confirmation of Facts Regarding Responsible Disclosure to Apperta in March 2021.

24/Mar - Apperta file a Computer Misuse report to Northumbria Police

24 days since I notified AppertaUK about the leaky repo, 23 days since they thanked me, & 18 days since I confirmed my clone was deleted (and have repeatedly confirmed to lawyer) I hear from the police.

"I would be grateful if you could provide me with a telephone number so I could speak with you in relation to a report of Computer Misuse.
D/Constable Specialist Cyber Investigator"

25/Mar - Engineer reports data leak to nonprofit, hears from the police

Ax Sharma in Bleeping Computer

Engineer reports data leak to nonprofit, hears from the police

25/Mar - Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure

Charlie Osborne in The Daily Swig

The Daily Swig

31/Mar - Blogged

I found secret info on GitHub, notified the owner, and found out the hard way that UK cyber law is broken.

Responsible Disclosure - Part 1 of ...? TL;DR.

14/Apr - Security Ledger

A week ago I spoke to Paul Roberts of Security Ledger. His piece on this expensive, months-long legal tussle and recent calls for reform to our 30 year-old Computer Misuse Act, which criminalizes the work of ‘Good Samaritan’ security researchers acting in the public interest, is now online.

Dispute Over Data Leak Highlights Legal Risks for UK Researchers

14/Apr - Some news!

Earlier today I heard that there will be no action taken concerning the complaint made to the police.

Phew, That's a weight off my mind. In terms of costs, so far I've incurred around £10k including VAT.

The other side have not accept any of the permutations offered by way of confirmatory statements. We continue to exchange letters...

I've written up much of the saga so far for your enjoyment.

19/Apr - Time to pay

Folks, just wanted to share with you the invoice for the work undertaken for the period 10th to 26th of March. That's £9500. Ouch.

25/Apr - High court documents

Its a beautiful day outside. I should be playing with Child v2. Instead I'm working on materials for the looming injunction that @AppertaUK seek against me.

Did you know that it costs iro £15k to defend an injunction? No, me neither.

If I had known that at the start, I would have left the 'private and confidential business information' that @AppertaUK are so concerned about where I found it (open and public on Github)

9/May - The Apperta Data Breach Fiasco

Guise Bule in Sec Juice writes "When Peter Coates, NHS England's Open Source Program Manager and now the Managing Director of Apperta, told Digital Health News that Apperta would "be fully transparent with information published online", nobody thought that he meant Apperta would put their confidential data into publicly available repositories on Github."

The Apperta Data Breach Fiasco

9/May - The Gregg Housh Show

SickCodes joins Gregg Housh to talk John Deere, and Apperta disclosures

11/May - NCSC #CYBERUK2021

Today at NCSC CYBERUK2021 event we heard that the Government is to reform Computer Misuse Act.

Home secretary Priti Patel will explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.

'I believe now is the right time to undertake a formal review of the Computer Misuse Act. And today I am announcing that we will be launching a call for information on the Act this year.' @Priti Patel, Home Secretary CYBERUK21

It continues