For the three reporters who have written articles about this, and the one who provided invaluable guidance, my gratitude is endless. This post doesn't apply to you, nor "the feds", the cybersecurity experts, or #lawyers (including and especially @eff), who were extremely helpful. The rest, however, should take note.
I've willingly laid my neck on a chopping block, unprotected, for over six months.
My outreach has been exhaustive:
• Attempted to engage with over 150 journalists and #news organizations,
• Coordinated frequently with the Cybersecurity and Infrastructure Security Agency (#CISA or "the feds"),
• Consulted with numerous cybersecurity experts,
• Sought advice from multiple lawyers,
• Spoke with ten state and state court CISOs,
• Attempted to talk to several dozen state and county court clerks and judges,
• Sent emails to every Florida State Senator, State Representative, and Supreme Court justice, and to multiple governors,
• Discussed with the staff of multiple U.S. Senators and U.S. Representatives,
• Contacted twelve vendors and over 40 employees
I've offered to write articles -- for free.
I've had no fewer than eight background checks done on me.
I've been cyberstalked by the Arizona Supreme Court.
I've put my job and my family's livelihood at risk in more ways than one.
I've made a grand total of $0; in fact, I've invested several hundred.
When I'm able to sleep, it's with one eye open, always waiting for "that" knock on the door.
After my first #disclosure, I prepared for a week to deal with what I expected to be a #media circus. What I received was one preemptive email from a state court #CISO (who was not affected) and one kind person (who is not a #journalist) on the #fediverse.
I've spent over 900 hours discovering, documenting, reporting, and disclosing vulnerabilities, trying to get this fixed on a mass scale, and attempting to contact the above list. I see no signs of this slowing down any time soon. All of this for what is merely a #hobby.
I've done my part. It's time for reporters to step up. The real-world harm these vulnerabilities have caused — and continue to cause — cannot be overstated. The need for widespread awareness and action is urgent.
Just to clarify things a bit, so people understand the scale of this...
As of today, I've discovered and reported vulnerabilities in court platforms from eleven(!) separate vendors, with another in a records request platform by one of the same vendors.
There are a large number of vulnerabilities in four(?) more platforms from some of those same vendors that will be reported this weekend.
The consequences of these vulnerabilities are exceptionally severe. I'll avoid the need for a content warning by saying that some of the documents that are available are life-threatening and some involve children; a reply to this post will have such a content warning.
There is a dire need for publicity of this knowledge, so that people can protect themselves, vendors can be held accountable, and real change can be made to solve these systemic problems.
It's still shocking to me that so many people and organizations turn down covering this story or outright ignore me. I've been told several times to call a reporter once it's being actively exploited. If you've been in the industry for very long (as they have), you know that we must assume, with or without direct evidence, that if we've found something -- trivially, I'll add -- that somebody else more nefarious already has as well, and will be abusing it to the fullest.
Add comment