Suing For a Responsible Disclosure
Rob Dyke, a security researcher, and a platform engineer has found a vulnerability in two open repositories of a company on March 8th and disclosed it to the concerned company. The exposed repositories include API keys, application code, usernames, passwords, and URLs of third-party, and embedded items.
— Rob Dyke (@robdykedotcom) March 9, 2021 He claimed the repositories were exposed for more than two years, and the application code seen within has RCE and SQL injection bugs since running on an old PHP framework. He took screenshots of his discoveries and send a private disclosure to the repository’s author, to which they thanked and secured it. Yet, Rob found that some embedded elements and public URLs are still left exposed, making him make a private disclosure once again. In return hit Rob with a legal notice accusing him of the Computer Misuse Act 1990 and Investigatory Powers Act 2016.
So I find an open repo with dump.sql API keys, usernames etc. I verify the contents. I take screenshots. I send a security advisory. Then I get a letter from the lawyers. This normal?#infosec #Legal https://t.co/4XlwxoEPCh — Rob Dyke (@robdykedotcom) March 8, 2021 In the notice, he was asked to “give commitments that amounted to me (Rob) acknowledging that I (Rob) had unlawfully hacked into and penetrated systems and databases.” This intrigued him since all he did was just inform them about repositories that are exposing sensitive data. He then asked the infosec community about recommendations on proceeding in this matter and started a GoFundMe campaign to raise a fight against the company’s action anyway. While he didn’t share the alleged company’s name initially, he later revealed it to be Apperta Foundation, which is a clinical non-profit funded by the UK’s NHS. He has now appointed a legal firm to present the case on his behalf and raised nearly 9,000 pounds for aiding these activities.