28/Feb - Discovery
Discovered two public repos on GitHub. Wrote up research to send to Apperta.
1/Mar - First disclosure
First disclosure sent to Apperta. Received a Thank You by email.
2/Mar - Second disclosure
Second disclosure sent to Apperta. Received a Thank You by email.
8/Mar - First email from Apperta's solicitor
Received a letter from Apperta's solicitor. I reply offering requested confirmations with revisions.
9/Mar - Second email from Apperta's solicitor
Second letter from Apperta's solicitor. My offered confirmations were unacceptable.
9/Mar - Third email from Apperta's solicitor
Another letter from Apperta's solicitor
9/Mar - Need some help
Called out on Twitter to find a cyber-savvy lawyer and started GoFundMe.
10/Mar - Twitter family
Wowza. Thank you Twitter family for your support on this. Just got off phone having instructed law firm to act for me. Holding letter being date out to complainant today. Aiming to get a substantive response out to them on Friday. Probably about 3k+vat. Humbled by generosity, strengthened by numbers. Onwards! Insert penguin gif here.
11/Mar - GFM Thank you
Thank you. Each and every one of you. Legals covered. Crossed fingers. Remaining funds to CodeYourFuture
12/Mar - Substantive response sent to Apperta's solicitor
Substantive response sent to Apperta's solicitor. 32 points over 5 pages.
13/Mar - Clarifications provided by email to Apperta.
In email sent Mon, 8 Mar, 15:44
- I confirmed that I no longer have a copy clone or fork of the publicly available
- I confirm that I have not and will not publish the data your clients made available on a public website or had published on a public URL.
15/Mar - determined to “shoot the messenger”
Correspondence from other side late Friday and over the weekend. It appears they are determined to “shoot the messenger”, threatening and criticising me for flagging a problem to them. This is not an attractive or reasonable approach. I have already agreed, through lawyer, to give the undertakings set out in the substantive letter and have provided additional information and assurances to them. Today Legal team have written to the other side inviting them confirm that they will now withdraws its threat of civil proceedings against me and the serious allegation of committing a criminal offence.
15/Mar - Statement of Trust
A Statement of Trust is requested. I'm in the last chance saloon.
15/Mar - I'm now being asked to provide a signed witness statement
18/Mar - Confirmation of Facts
I offer to sign a Confirmation of Facts Regarding Responsible Disclosure to Apperta in March 2021.
24/Mar - Apperta file a Computer Misuse report to Northumbria Police
24 days since I notified AppertaUK about the leaky repo, 23 days since they thanked me, & 18 days since I confirmed my clone was deleted (and have repeatedly confirmed to lawyer) I hear from the police.
"I would be grateful if you could provide me with a telephone number so I could speak with you in relation to a report of Computer Misuse.
D/Constable Specialist Cyber Investigator"
25/Mar - Engineer reports data leak to nonprofit, hears from the police
Ax Sharma in Bleeping Computer
25/Mar - Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure
Charlie Osborne in The Daily Swig
31/Mar - Blogged
I found secret info on GitHub, notified the owner, and found out the hard way that UK cyber law is broken.
14/Apr - Security Ledger
A week ago I spoke to Paul Roberts of Security Ledger. His piece on this expensive, months-long legal tussle and recent calls for reform to our 30 year-old Computer Misuse Act, which criminalizes the work of ‘Good Samaritan’ security researchers acting in the public interest, is now online.
14/Apr - Some news!
Earlier today I heard that there will be no action taken concerning the complaint made to the police.
Phew, That's a weight off my mind. In terms of costs, so far I've incurred around £10k including VAT.
The other side have not accept any of the permutations offered by way of confirmatory statements. We continue to exchange letters...
19/Apr - Time to pay
Folks, just wanted to share with you the invoice for the work undertaken for the period 10th to 26th of March. That's £9500. Ouch.
25/Apr - High court documents
Its a beautiful day outside. I should be playing with Child v2. Instead I'm working on materials for the looming injunction that @AppertaUK seek against me.
Did you know that it costs iro £15k to defend an injunction? No, me neither.
If I had known that at the start, I would have left the 'private and confidential business information' that @AppertaUK are so concerned about where I found it (open and public on Github)
9/May - The Apperta Data Breach Fiasco
Guise Bule in Sec Juice writes "When Peter Coates, NHS England's Open Source Program Manager and now the Managing Director of Apperta, told Digital Health News that Apperta would "be fully transparent with information published online", nobody thought that he meant Apperta would put their confidential data into publicly available repositories on Github."
9/May - The Gregg Housh Show
SickCodes joins Gregg Housh to talk John Deere, and Apperta disclosures
11/May - NCSC #CYBERUK2021
Today at NCSC CYBERUK2021 event we heard that the Government is to reform Computer Misuse Act.
Home secretary Priti Patel will explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world.
'I believe now is the right time to undertake a formal review of the Computer Misuse Act. And today I am announcing that we will be launching a call for information on the Act this year.' @Priti Patel, Home Secretary CYBERUK21
14/May - The Register
Did I mention that El Reg covered this sorry state of affairs?