Field Note · Blog

Disclosure in Action: I Published Without Publishing the Secret

Day of public disclosure. The document went up; the secret stayed out. How to publish a finding without publishing what an attacker would weaponize.

Disclosure in Action May 1, 2026 – CompleteTech LLC

Field Note 06 – Public Disclosure

I published without publishing the secret.

The public disclosure needed to be accountable, useful, and intentionally incomplete. I included enough detail to document the issue and the timeline, while redacting the credential values that could enable reuse.

The public write-up included the affected package, observed builds, cloud target, region, endpoint, redacted access key identifier, technical source locations, and a clear statement that the full secret access key was not published.

It also included the research limits. No live AWS authentication was performed. No bucket enumeration, object retrieval, upload, write testing, or other AWS API activity was performed with the exposed secret.

That was the balance I wanted: enough specificity for accountability, enough restraint to avoid creating a new risk.

IncludedPackage, versions, S3 target, region, endpoint, source locations, and timeline.
RedactedThe full secret access key and any material that would enable credential reuse.
PublishedA public document for learning, accountability, and portfolio context.

The disclosure document is available here: VapeTM Hardcoded AWS IAM Credentials – Public Disclosure.

CompleteTech LLC – Innovation at Every Integration Public disclosure series – 2026