Defend Rob's Responsible Disclosure

TL/DR: I made a responsible security disclosure to Apperta, an NHS tech org, that had negligently spilled usernames, passwords, and financial data on the internet. They responded with threats of legal action.

Read my write up 'howto disclose'  and my blog No Good Deed Goes Unpunished.
 
How it started:
Late February I found two public repositories on github with application code, database dump, API keys, username and passwords. I followed the URLs in the repos and verified the Author of the repos and the owner as Apperta Foundation.
 
I wrote up my findings including copious screenshots (obfuscated) as a Security Disclosure which I sent to the Apperta on the 1st of March. Apperta responded the same day, thanking me for the detailed notice. The repos were taken down, the website was taken offline.
 
On Monday (8th) I received a letter from a law firm representing Apperta, accusing me of committing offences under the Computer Misuse Act 1990 and the Investigatory Powers Act 2016 and demanding that I give commitments that amounted to me acknowledging that I had unlawfully hacked into and penetrated systems and databases.
 
How its gone:
Over March and April in the region of 500 emails were exchanged in search of a form of words that Apperta would accept as confirmation that I had deleted the materials discovered.
 
Apperta filed a cybercrime incident with the police. Thankfully the police closed the record as no action  necessary. 
 
In the last week of April Apperta again threatened to attempt to obtain a court injunction.
 
And now?
I'm in limbo. Mentally worn down. Counting the costs.
 
Legals & costs have run to £25,000.
 
Read my blog No Good Deed Goes Unpunished .
 
About Me: I'm a long time open source hacker. A decade of my career was in NHSland where I co-founded open eObs  and made an OS for the NHS  . These days I research the security and privacy of apps listed in the NHS Apps Library .
  • Deyan Samardzhiev 
    • £5 
    • 17 d
  • Dennis Humm 
    • £20 
    • 1 mo
  • Mr Alexander N Toft 
    • £100 
    • 1 mo
  • Eckhard Schwarzat 
    • £20 
    • 1 mo
  • Mr Jonathan Hamer 
    • £10 
    • 1 mo
See all

Organizer

Rob Dyke 
Organizer
Lewes, South East England, United Kingdom
  • #1 fundraising platform

    More people start fundraisers on GoFundMe than on any other platform. Learn more

  • GoFundMe Guarantee

    In the rare case something isn’t right, we will work with you to determine if misuse occurred. Learn more

  • Expert advice, 24/7

    Contact us with your questions and we’ll answer, day or night. Learn more