https://informationsecuritybuzz.com/expert-comments/vw-fired-senior-employee-after-they-raised-cyber-security-concerns/

Should this incident be added?

https://arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/

https://ca.gofundme.com/f/stand-against-proctorio

Business Insider: https://www.businessinsider.com/proctorio-silencing-critics-fueling-student-protests-against-surveilalnce-edtech-schools-2020-10

Deutschlandfunk (German Public Radio): https://www.deutschlandfunk.de/hochschulen-in-der-corona-pandemie-online-ueberwachung-soll.684.de.html?dram:article_id=486757

Inside Higher Ed: https://www.insidehighered.com/quicktakes/2020/10/20/ed-tech-specialist-fights-proctorio-lawsuit

Teen Vogue: https://www.teenvogue.com/story/exam-surveillance-tools-remote-learning

The Ubyssey: https://www.ubyssey.ca/news/linkletter-responds-to-proctorio-lawsuit/

Vancouver Sun: https://vancouversun.com/news/ubc-employee-being-sued-by-u-s-software-company-files-anti-slapp-application

The Verge: https://www.theverge.com/2020/10/22/21526792/proctorio-online-test-proctoring-lawsuit-universities-students-coronavirus

Vice: https://www.vice.com/en/article/7k9zjy/an-exam-surveillance-company-is-trying-to-silence-critics-with-lawsuits

As much as I appreciate you compiling and shaming companies that threaten researchers, it is clear that the research team at Secunia were mostly interested to prop their brand than actually researching and helping the open source project.

I understand that lawyering up is not the most optimal solution, but here, it is clearly a case where they are not actually pointing out a vulnerability, just trying to get a nice trophy and holding on to it as long as possible.

https://www.bleepingcomputer.com/news/security/45-000-facebook-users-leave-one-star-ratings-after-hackers-unjust-arrest/
https://www.techspot.com/news/70260-hungarian-teen-arrested-exposing-major-security-flaw-public.html
https://www.scmagazine.com/news/network-security/teen-arrested-for-reporting-bug-in-budapest-transit-system

I hope Alberto can enlighten us in a few short sentences!

In the readme http://www.customs.gov/ is used even though it points a non-existent site.

I think the new link is https://www.cbp.gov.

https://timesofmalta.com/articles/view/we-wanted-help-students-arrested-exposing-freehour-security-flaw.1024757
'We wanted to help': Students arrested after exposing FreeHour security flaw
Police investigate four students who discovered vulnerability in application

Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins were scanning through the software of the app when they found a vulnerability they say could be exploited by malicious hackers.

They emailed their findings to FreeHour’s owner and asked for a reward – or ‘bug bounty’ – for spotting the mistake.

But, instead of a payoff, the University of Malta students were arrested, strip-searched and had their computer equipment seized.
[..]

Add @what3words for threatening @toponce

https://techcrunch.com/2021/04/30/what3words-legal-threat-whatfreewords/

I made some enhancements to the intro but would like second eyes. Fix or revert as needed.

The table is a big awkward on mobile and limits the horizontal field length, I will work on adding rows instead and see how it looks that was each submission can go into greater details and the words would wrap properly. Just a suggestion at this stage :)

Posting here for reference, as this may qualify for inclusion pending more details.

https://twitter.com/BryanSmart/status/1384243611110285321

URGENT! If you, or someone you know, is using the Open GD77 firmware for Radiodity ham radios, the only talking handheld FM/DMR radio, the author is being forced to take it down due to some licensing issue. Not much details yet. He's leaving it up for 48 hours, then it's gone.

Hi,
I could finally present it yesterday at INFILTRATE
Slides: https://syscall.eu/pdf/INFILTRATE2020-RIGO-Xerox-final.pdf
Video: https://vimeo.com/showcase/8085537/video/539693997

Some reporting about it: https://portswigger.net/daily-swig/xerox-vulnerability-disclosure-legal-threat-withdrawn

At Kiwicon 7 (2013-11-09), researcher "AmmonRa" disclosed a series of vulnerabilities regarding Christchurch's "Metro Card" bus fare system. He previously reported the security flaw to Environment Canterbury, the group that oversees the bus network, three months prior, but nothing had been done.

After disclosing the vulnerability publicly, Environment Canterbury director operations Wayne Holton-Jeffreys had called the police (but was unsure if any charges would be laid).

Digging through old Errata mails:

The case against Henrik Høyer listed 3rd in the list of legal threats was finally resolved this spring.
He was originally found guilty in local court but was found not guilty on appeal to a higher court based on lack of evidence.
Below articles are in Danish but describe the situation. Worth adding to the entry I think.

https://www.version2.dk/artikel/dom-faldet-i-kontroversiel-boernehave-hackersag-709985
https://www.version2.dk/artikel/derfor-blev-henrik-hoeyer-frifundet-1074649

Hi,
regarding my Blue Coat talk, I could present it (almost unchanged) months later at Ruxcon and Black Hat Europe
see https://syscall.eu/ for slides and video link

https://www.heise.de/news/Warum-ein-Sicherheitsforscher-im-Fall-Modern-Solution-verurteilt-wurde-9601392.html
https://infosec.exchange/@WPalant/111776937550399546

Thought I'd open a new issue regarding my experiences with the Massachusetts Institute of Technology four years ago. I had found an exposed WordPress debug log that had been recording for about a year when I found it (4GB+ of data). All PII has been removed except my own, which is already publicly available.

The legal threat:

My email to the head of MIT's IT department:

MIT's IT Head response:

Follow-up from original staff member encouraging that I stay away from security:

Will add this one shortly, it's a keeper for sure

https://twitter.com/nahamsec/status/1694388639994675568

https://www.exploit-db.com/exploits/2296

[..]
9/2/06 - Vendor Notified. |
9/2/06 - Vendor Replied. Threatens legal action. |
9/4/06 - Exploit Released with no details to vendor.
[..]

There's a broken link to the C&D letter for the 2015-07-13 Impero Software incident. The original link (https://pdf.yt/d/fRcZ1TWHaDkwz-Ea) is not resolving for me. There are a few choices to fix this:

• Archive.org mirrors the original link
  • and offers a direct download of the original
  • as well as an OCR'd searchable text version that's also better for screen readers
• Cybergibbons (🤷) has a copy of the original on their wordpress site
• LizardHQ (🤷) has a copy of it on their github repo for their site
• A copy can be added to this repo in the goodies directory and the README can link to that

I'd be happy to make a PR, just let me know what's preferred. And if it's adding it to this repo in the goodies directory, which version is preferred? The original or the OCR, searchable, screen reader friendly version that archive.org automatically created?

Recently found a critical vulnerability. Reserved a CVE for it.

However the vendor is threatening my client with breach of contract and tells me not to publish CVE.

I would like to warn about this vendor. However because of this hostile behaviour I want to discuss this in private with someone. How can I reach out to the maintainers?

|2021-08-04|CDU (German political party)|Lilith Wittmann |In 2021, during the election campaign for the German Bundestag, s security researcher named Lilith Wittmann discovered and published data security issues in the election campaign app used by the German parties CDU, CSU and Volkspartei. The CDU pressed charges against Wittmann but withdrew later after a public outcry and apologized.|

Reference:
https://twitter.com/taviso/status/1566077115992133634
And CEO's response:
https://twitter.com/eastdakota/status/1566160152684011520

According to this tweet, a criminal case may have been opened against the researcher who spoke to CA media about putting the whole passport in the QR code.

https://twitter.com/caparsons/status/1432737749484937222?s=21

Repo showing the full patient health data regarding vaccination:

https://github.com/fproulx/shc-covid19-decoder

Following this story at the moment to try and find out who's in trouble here

Offender: https://proctorio.com/

Huge story to add. Some precedents in copyright and FFTF, EFF,

The subpoena requests that FFTF produce “all documents and communications” between itself and EFF, Erik Johnson, and Ian Linkletter, as well as any related to the proctoring software industry.

https://www.theverge.com/2022/2/22/22945634/proctorio-fight-for-the-future-twitter-copyright-lawsuit-subpoena-remote-proctoring

https://www.modzero.com/modlog/archives/2015/09/24/on_responsible_full_disclosure/index.html

[..]
The reason for this blog-posting is Good Technology. In June 2013 we identified a remotely exploitable vulnerability in Good's Mobile Device Management (MDM) Suite "Good For Enterprise" that allowed remote attackers to hijack administrative accounts. We followed common responsible disclosure principles and contacted Good, providing a timeframe of 45 days to fix a simple, persistent Cross Site Scripting related vulnerability. They asked for another 60 days and said they would like to provide "updates or corrections" to the final version of our advisory. However, Good used the remaining 50% of the E-mail to express their understanding of their certain license conditions and provided their legal standpoint "just FYI".
[..]

Including here for records and/or digging into it more to determine if it warrants inclusion.

https://twitter.com/fox0x01/status/1691774253014618222

ARM takes domains by force:

arm-assembly.com
arm-reversing.com
arm-exploitation.com
arm-basics.de

"Update: my blog azeria-labs.com is currently blocked due to the C&D."

Beginning of talk speed mentioned some type of stern letter. Needs analysis first: https://youtu.be/1JT_lTfK69Q

https://blog.fox-it.com/2013/04/05/security-advisory-unencrypted-storage-of-confidential-information-in-keeper-password-data-vault-v5-3-for-ios/

Vendor response
Fox-IT has reported the vulnerability in Keeper® Password & Data Vault to Keeper Security Inc. within 24 hours of its initial discovery. Unfortunately, Keeper Security Inc. has refused to constructively engage in a responsible disclosure procedure and has requested all further communication to be addressed to the company’s legal counsel.

Keeper Security Inc’s legal counsel has since notified Fox-IT that “that the issue raised […] has been addressed and resolved in the new version of Keeper (Version 6.0) which is available on the App Store”. However, the description of the update on the App Store does not specify this version resolves any security issues. Fox-IT was also notified that the public disclosure of the issues that are described in this advisory may be met with swift legal action.

Our mission at Fox-IT is to make technical and innovative contributions for a more secure society. Given the lack of public information regarding the risks that are associated with the previous version of the application, we regard it as our responsibility to publish a detailed advisory. This will allow the affected users to take protective measures to prevent their confidential data from being compromised (further).

Reported: 18-March-2013 17:12 CET
Resolved: 04-April-2013, according to the vendor’s legal counsel
Published: 05-April-2013 16:33 CET

https://therecord.media/meet-the-man-who-sued-an-indian-state-over-facial-recognition-technology/

This application was created for the Telangana State Police in 2018 and is equipped with facial recognition technology. It can compare the pictures of people with India’s national Crime and Criminal Tracking Network & Systems (CCTNS) in real-time—a nationwide database that contains millions of images of known and arrested offenders, wanted people and missing people.

2017 legal threat against pcpursuit.com for their research on breath testing machines. Need to see if they ever went public.

https://www.zdnet.com/article/security-firm-keeper-sues-news-reporter-over-vulnerability-story/

There are two FireEye incidents already. In the HTML comments I have had this for a while and tried to get more details on Twitter:

https://twitter.com/RazorEQX/status/642124276573859841
I came under fire from [FireEye] just over a year ago for disclosing a bug they didn.t seem important to fix.
https://twitter.com/RazorEQX/status/642125189904470016
Let me talk to the attorney that defended me. I lost a job over it.

Here's where I asked if it was one of the incidents:
https://twitter.com/securityerrata/status/643246845922250754
https://www.forbes.com/sites/thomasbrewster/2014/07/09/researcher-i-was-suspended-for-finding-flaws-in-fireeye-security-kit/?sh=6368bb336f77

Kind of surprised people still report vulns to FireEye after the other known incidents.