NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

§ DISCLOSURES · OUTCOMES

Outcomes

Status for every disclosure NuClide has issued. The disclosures themselves are the primary record; this is the accountability layer, what operators actually did with them.

§FEATURED DISCLOSURE · FIXED · 2026-05-11

D+0 → D+10
05-01
05-02
05-03
05-04
05-05
05-06
05-07
05-08
05-09
05-10
05-11
DISCOVER
ACK
REMEDIATE · 9D
VERIFY
★ SIGN-OFF
D+0 · DISCLOSED D+10 · SIGNED OFF

Authenticated, port-closed, signed-off. Syracuse University Ollama.

Syracuse University was running unauthenticated Ollama on 128.230.38.78:11434 and a sibling endpoint on :12345. We disclosed to itsecurity@listserv.syr.edu on day 0; INFOSEC opened ticket INFOSEC-10370. The verification re-probe on day 10 confirmed both ports closed/firewalled. The campus expanded the fix to a campus-wide ACL covering all 8 sampled 128.230.x.x Ollama-port endpoints.

Read the disclosure record
24h
to acknowledge
10d
to verified fix
8/8
sibling endpoints closed
signed off
3 Fixed 2.3% 0 Engaged 0.0% 4 Acknowledged 3.1% 0 Out of scope 0.0% 1 Misrouted 0.8% 4 Bounced 3.1% 119 Sent, awaiting reply 90.8%

131 disclosures total · click a cell to jump to that section

§ Lifecycle

Discovery to sign-off

The 131 disclosures NuClide has issued, mapped through the five lifecycle stages. Off-funnel drops surface on the right rail (bounces, no-replies, and acks-without-fixes) so the actual leakage points are visible at a glance.

SHED · OFF-FUNNEL 5 bounced · 4 / misrouted · 1 119 sent · no reply · 119 4 ack · no fix · 4 131 Discovered 01 126 Reported 02 7 Acknowledged 03 3 Remediated 04 3 Signed off 05

Fixed

3 disclosures

Operator confirmed remediation. Port closed, nullroute, auth enabled, fix shipped.

Acknowledged

4 disclosures

Auto-ticketed at the institution, mailman moderator hold, or a human reply that doesn't yet confirm a fix.

Misrouted

1 disclosure

Operator caught a routing error in our pipeline. Resend pending or sent.

Bounced

4 disclosures

Hard SMTP rejection, user-unknown, mail-loop, or DNS misconfig. Resend via alternate contact.

Sent, awaiting reply

119 disclosures

Disclosure delivered, no response received yet. Long-tail responses expected over 7-30 days.

§ How outcomes are tracked

Outcomes update as operators respond. Default state is sent, the disclosure has been delivered but no reply received. As replies arrive, outcomes are promoted: bounce-back to bounced, auto-ticket to acknowledged, confirmed remediation to fixed, etc. The full per-disclosure body remains the source of truth.

For the original 2026-05-04 batch outcomes narrative, see outcomes-2026-05-04.