Tell HN: Google banned me for reporting CT vulns they fixed hours later

6•Eikon•7h ago

The Certificate Transparency system protects you from malicious HTTPS certificates. When CT logs have predictable private keys, the entire web PKI security model breaks down.

This compromises every certificate the log ever signed - past, present, and future.

I reported security vulnerabilities in Certificate Transparency infrastructure that Google Chrome trusts. They dismissed them as "not vulnerabilities," made my private report public without consent, then silently implemented my fixes hours later.

The discovery:

While benchmarking, I used echo " " > seed.bin (32 spaces). Sunlight accepted this and generated valid but predictable private keys for a CT log. No warnings, no errors.

Why this matters:

1. Operator correctly runs: cat /dev/urandom > seed.bin

2. Filesystem corruption fills seed with nulls/spaces (happens in production)

3. Sunlight silently generates predictable keys from corrupted seed

4. CT log operates "normally" - valid signatures, no errors

5. Anyone knowing about corruption can recreate the private keys

Without checksums, even perfect operators get silently compromised. This is PKI infrastructure that protects HTTPS certificates.

This isn't hypothetical - filesystem corruption is common in production systems. Power failures, kernel panics and storage failures regulary cause partial writes and null bytes.

Google's response:

- "Not a vulnerability": https://groups.google.com/a/chromium.org/g/ct-policy/c/qboz9s8b9j8/m/B6JXa2q1BAAJ

- Published my private security report without consent

- Implemented my exact fixes hours later

  - https://github.com/FiloSottile/sunlight/commit/f62f9084016c4c377d3855471720d7d0cdea3663

  - https://github.com/FiloSottile/sunlight/commit/32cc3ea2524e89f93febb967683c6467753f484d

- Banned me for pointing out the contradiction: https://groups.google.com/g/certificate-transparency/c/u8SsXgSFbz4/m/14ePyeCrBAAJ

Bonus vulnerability:

They authenticate using User-Agent strings. Anyone can spoof these headers to bypass rate limits and overwhelm the service:

- https://github.com/FiloSottile/sunlight/blob/main/cmd/skylight/skylight.go#L176

- https://github.com/FiloSottile/sunlight/blob/main/cmd/skylight/skylight.go#L148

This is production code, trusted by Google Chrome today (https://www.gstatic.com/ct/log_list/v3/all_logs_list.json) see the "sunlight" logs.

The exact email that got me banned is here https://groups.google.com/g/certificate-transparency/c/u8SsXgSFbz4/m/14ePyeCrBAAJ - judge for yourself if it violates any reasonable code of conduct.

Has anyone else experienced retaliation for responsible security disclosure? How do we fix a system where reporting vulnerabilities gets you banned while the issues get quietly patched?

Comments

data_yum_yum•7h ago

Just stay away from the toxicity that’s bringing a cultural decline in the tech world. When it’s relevant, you can inform the right people that you can trust and suggest solutions.

Enough companies hand out bounties to people who catch security vulnerabilities, some just categorize per seriousness but some go far enough to have assessed existing problems and put out a list of them with specific dollar mounts they’re willing to hand out.

I think this is the way to go honestly - creates a community, remain transparent which buys immense trust, and have a pretty neat way to attract talent.

I think at this point it’s a no-brainer that lot of big tech companies are going through a cultural decline, which explains the layoffs. AI is just an excuse for layoffs :)

Unknown novel by writer who charted Hitler's rise becomes German bestseller

Ask HN: Do AI companies use PageRank to influence their training?

TrendHarvester Pro

Harley Finkelstein: Why You Must Requalify for Your Role–Every Year [The

Race and Gender Bias as an Example of Unfaithful Chain of Thought in the Wild

Show HN: Director – The MCP gateway you wish existed

Apple looked into building its own AWS competitor

PayPal's 11-Year API Disaster: We Built Workarounds While They Ignored Us

The 10x "Overemployed" Engineer

Released the schematics and PCB of my transputer ISA board

Show HN: I built a website to customize and export Unicode symbols or copy-paste

Large-scale processing of within-bone nutrients by Neanderthals, 125kya

LinkedIn Hates Me

US founder calls out Indian techie for 'scamming' multiple startups

Welcome to Genesys Demo

Addictive screen habits, not hours online, linked to worsening mental health

Dow jumps over 300 points, S&P 500 sets new record after strong June jobs report

Weekly oncology newsletter: biotech breakthroughs and clinical trials summarized

High-latitude peat and forest fires could shape the future of Earth's climate

Call of Duty: WWII Game Pass Launch Stained by Reports of RCE Attacks

Sketched Out: An Illustrator Confronts His Fears About A.I. Art

Charkoal: Visualize Any Codebase

What Is DevContainer and Why Every Developer Will Use It Soon (2025 Guide)

Ad Free Citation Generation

Household name employers where workers rely on payday loans the most

Sunwise

Infrasim

Ask HN: Do you have a BYD car or driven one? What do you think about it?

Steve Blank – Why Investors Don't Care About Your Business

Detroit sues blockchain real estate firm that owns rentals with many violations