Field Note · Blog

Disclosure in Action: I Sent the Private Disclosure

The day the private disclosure went out. What the email actually said, who it went to, and the timer that started the moment it was sent.

Disclosure in Action March 22, 2026 – CompleteTech LLC

Field Note 03 – Vendor Notice

I sent the private disclosure.

The private report needed to be useful to the vendor without being performative. I included the details required to identify, reproduce, and remediate the issue, including sensitive values that would never belong in a public post.

The report focused on what the vendor needed: affected application package, observed affected builds, source locations, target bucket, region, endpoint, and the credential values required for them to identify and revoke the key.

I also described my research limit. The finding was based on APK static analysis and decompiled code review only. No live AWS validation was performed.

That separation matters. The vendor needs enough detail to remediate. The public does not need enough detail to reuse the credential.

Private detailFull credential values and direct remediation evidence went to the vendor.
Public restraintThe public write-up would later redact the secret and avoid reusable material.
ToneThe goal was to get the issue fixed, not to dramatize the finding.

A good disclosure report makes the vendor’s next action obvious: revoke the exposed key, review logs, replace the pattern, and verify that newer builds no longer ship the secret.

CompleteTech LLC – Innovation at Every Integration Public disclosure series – 2026