From 2630c97b31b3a98c53ccb977f1892e818e73734c Mon Sep 17 00:00:00 2001 From: feng Date: Wed, 25 Mar 2026 09:38:06 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20add=20disclosure=20timeline=20page=20?= =?UTF-8?q?=E2=80=94=20bilingual,=20SEO-optimized?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 737-line timeline page covering 2024-2026 disclosure process - Bilingual (Chinese/English) with color-coded event tags - Full SEO: hreflang, og:image, twitter card, meta description - Navigation consistent with other blog pages - Legal-safe: facts only, no subjective claims Co-Authored-By: Claude --- disclosure-timeline.html | 737 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 737 insertions(+) create mode 100644 disclosure-timeline.html diff --git a/disclosure-timeline.html b/disclosure-timeline.html new file mode 100644 index 0000000..749ecb4 --- /dev/null +++ b/disclosure-timeline.html @@ -0,0 +1,737 @@ + + + + + +Disclosure Timeline — Alipay SecurityGuard Security Research | 披露时间线 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ +
+ +
+ + +
+
Responsible Disclosure | 负责任披露
+

Disclosure Timeline
披露时间线

+

A factual chronological record of the Alipay SecurityGuard SDK security research and disclosure process.
支付宝 SecurityGuard SDK 安全研究与披露过程的客观时间线记录。

+

Last updated: 2026-03-25 | Research period: 2024 Q1 – 2026 Q1

+
+ + +
+ 内容标识 / Content Notice:  + 本页面内容基于可核实的客观事实记录,所有时间节点均有文件或公开记录作为来源。部分文本整理使用了 AI 辅助。 + This page documents verifiable, objective events only. All timestamps are sourced from contemporaneous records or public archives. Text editing assisted by AI. +
+ + +
+
2024
+
+
+ +
+ +
+
+
Q1 – Q2 2024
+
启动对 SecurityGuard v2 SDK 的初步分析
+
Initial discovery and analysis of SecurityGuard v2 SDK
+
+ 通过公开渠道获取的支付宝 APK(Android 版本),对内嵌的 SecurityGuard v2 SDK 进行初步静态分析,识别关键组件与架构模式。
+ Began static analysis of SecurityGuard v2 SDK embedded in publicly available Alipay APK builds. Identified key components and architectural patterns. + Analysis +
+
+
+ +
+ + +
+
2025
+
+
+ +
+ +
+
+
Q3 – Q4 2025
+
深入分析加密实现、原生代码与隐私机制
+
Deep analysis of cryptographic implementations, native code, and privacy mechanisms
+
+ 系统性分析 SDK 的密码学实现、热修复机制(PatchProxy / AVMP)、网络通信层及数据收集行为。研究范围扩展至原生 .so 库与 JNI 层。
+ Systematic analysis of cryptographic implementations, hot-patch mechanisms (PatchProxy / AVMP), network communication layers, and data collection behaviors. Scope extended to native .so libraries and JNI layer. + Deep Dive +
+
+
+ +
+ + +
+
2026
+
+
+ +
+ +
+
+
Feb 25, 2026
+
通过 AntSRC 向厂商提交漏洞报告
+
Vulnerability report submitted to vendor via AntSRC
+
+ 通过蚂蚁集团官方安全漏洞响应渠道(AntSRC / security@antgroup.com)提交详细技术报告,启动负责任披露流程。
+ Detailed technical report submitted via Ant Group's official security vulnerability response channel (AntSRC / security@antgroup.com), initiating the responsible disclosure process. + Vendor Contact +
+
+
+ +
+
+
Mar 10, 2026
+
厂商回复:认定为"正常功能"
+
Vendor responds: classified as "normal function"
+
+ 蚂蚁集团通过 AntSRC 渠道回复,将报告中涉及的技术行为定性为"正常功能",未提出修复计划。
+ Ant Group replied via AntSRC, classifying the reported technical behaviors as "normal function" with no remediation plan indicated. + Vendor Response +
+
+
+ +
+
+
Mar 12, 2026
+
向 MITRE 提交首批 CVE 报告(Ticket #2005801,9 份 CVE)
+
First MITRE CVE submission — Ticket #2005801, 9 CVE reports
+
+ 鉴于厂商回复不认可,依据 MITRE CVE 提交流程,正式向 MITRE 提交首批 CVE 报告,覆盖密码学、热修复与隐私等多个技术领域。
+ Following the vendor's non-acknowledgment, formally submitted the first batch of CVE reports to MITRE covering cryptography, hot-patch, and privacy domains. + CVE Submission +
+
+
+ +
+
+
Mar 12 – Mar 22, 2026
+
8 篇技术分析文章在微信公众号发布
+
8 technical analysis articles published on WeChat Official Account
+
+ 以中文撰写并发布 8 篇系列技术分析文章("The Nora Chronicles"),涵盖 PatchProxy 机制、加密降级、隐私分析、DeepLink 攻击面等专题。
+ Published 8 technical analysis articles in Chinese ("The Nora Chronicles") covering PatchProxy, encryption downgrade, privacy analysis, DeepLink attack surface, and related topics. + Published +
+
+
+ +
+
+
Mar 17, 2026
+
GitHub 代码库公开发布
+
GitHub repository published
+
+ 正式公开 GitHub 证据仓库,包含技术报告、反编译代码片段(jadx)、脚本及 Docker 验证环境说明。
+ Publicly released GitHub evidence repository containing technical reports, decompiled code excerpts (jadx), scripts, and Docker verification environment documentation. + Published + github.com/sgInnora/alipay-securityguard-analysis +
+
+
+ +
+
+
Mar 19, 2026
+
IACR ePrint 论文发布(编号 2026/526)
+
IACR ePrint paper published — 2026/526
+
+ 在国际密码学研究协会(IACR)ePrint 服务器发布预印本研究论文,题目:"Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK"。注:ePrint 为预印本服务,不属于同行评审出版物。
+ Published preprint research paper on the IACR ePrint server: "Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK." Note: ePrint is a preprint service, not a peer-reviewed publication. + Academic Record + eprint.iacr.org/2026/526 +
+
+
+ +
+
+
Mar 19, 2026
+
Packet Storm Security 收录(编号 #217089)
+
Packet Storm Security publication — #217089
+
+ 安全漏洞信息聚合平台 Packet Storm Security 收录本研究,进一步扩大技术社区的可见度。
+ Research indexed by Packet Storm Security, a widely referenced security advisory aggregation platform. + Published + packetstormsecurity.com/files/217089 +
+
+
+ +
+
+
Mar 19 – Mar 23, 2026
+
后续 MITRE CVE 提交(Batch 1–4,累计 36 份 CVE,11 个工单)
+
Additional MITRE submissions — Batches 1–4, total 36 CVE reports across 11 tickets
+
+ 在初始提交基础上,分四批次陆续向 MITRE 提交补充 CVE 报告,覆盖认证机制、JSBridge 授权、Wi-Fi 追踪、弱随机数等新发现领域。
+ Submitted four additional batches of CVE reports to MITRE covering authentication mechanisms, JSBridge authorization, Wi-Fi tracking, weak random number generation, and other newly documented areas. + 36 CVE Reports + 11 Tickets +
+
+
+ +
+
+
Mar 22, 2026
+
8 篇微信文章因厂商投诉被移除
+
8 WeChat articles removed following vendor complaint
+
+ 微信平台依据蚂蚁集团经代理律师事务所提出的投诉,将前期发布的 8 篇技术分析文章下架。各文章已同步存档于 innora.ai/zfb/ 永久保存。
+ WeChat platform removed the 8 previously published technical analysis articles following a complaint filed by Ant Group through a proxy law firm. All articles are permanently archived at innora.ai/zfb/. + Platform Removal +
+
+
+ +
+
+
Mar 22, 2026
+
创建 Mastodon 账号(infosec.exchange/@Innora)
+
Mastodon account created — infosec.exchange/@Innora
+
+ 在去中心化社交平台 Mastodon 的 infosec.exchange 实例创建账号,建立独立于平台审查的技术社区沟通渠道。
+ Created account on infosec.exchange Mastodon instance to establish a communication channel independent of centralized platform moderation. + Platform +
+
+
+ +
+
+
Mar 23, 2026
+
Zenodo 永久学术存档(DOI: 10.5281/zenodo.19186848)
+
Zenodo permanent academic archive — DOI: 10.5281/zenodo.19186848
+
+ 在欧洲核子研究中心(CERN)运营的 Zenodo 平台完成研究材料的永久学术存档,获得不可删除的 DOI,确保数字内容长期可访问性。
+ Completed permanent academic archival of research materials on Zenodo (operated by CERN), obtaining a non-revocable DOI ensuring long-term digital accessibility. + Permanent Archive + doi.org/10.5281/zenodo.19186848 +
+
+
+ +
+
+
Mar 23, 2026
+
Docker 验证环境发布(37/37 测试通过)
+
Docker verification environment published — 37/37 tests pass
+
+ 发布完整的 Docker 化验证环境,使第三方研究人员可独立复现全部 37 项技术发现,所有测试 100% 通过。验证脚本与 Dockerfile 均已包含在 GitHub 仓库中。
+ Published complete Dockerized verification environment enabling independent third-party reproduction of all 37 technical findings with 100% test pass rate. Verification scripts and Dockerfile included in GitHub repository. + Reproducible + 37 / 37 Tests Pass +
+
+
+ +
+
+
Mar 13 – Mar 25, 2026
+
已向 9+ 国家/地区的监管机构通报
+
Regulatory authorities in 9+ countries/regions briefed
+
+ 依据各机构的管辖范围,向多个国家和地区的监管机构提交技术简报,涵盖金融监管、数据保护、网络安全应急响应等职能类型。
+ Technical briefings submitted to regulatory authorities across multiple jurisdictions based on their respective mandates, covering financial regulation, data protection, and cybersecurity incident response functions. + Regulatory + 9+ Jurisdictions +
+
+
+ +
+ + +
+

关键资源 / Key Resources

+
+ + +
GitHub Repository
+
github.com/sgInnora/
alipay-securityguard-analysis
+
Technical evidence, scripts, Docker environment | 技术证据、脚本、Docker环境
+ + + +
IACR ePrint (Preprint)
+
eprint.iacr.org/2026/526
+
Research preprint — not peer reviewed | 预印本论文(非同行评审)
+ + + +
Zenodo Permanent Archive
+
doi.org/10.5281/
zenodo.19186848
+
Permanent DOI — CERN/Zenodo | 不可撤销的学术存档
+ + + +
Packet Storm Security
+
packetstormsecurity.com/
files/217089
+
Security advisory index entry | 安全公告索引
+ + + +
Research Blog
+
innora.ai/zfb/
+
Technical analysis articles archive | 技术分析文章存档
+ + + +
Mastodon
+
infosec.exchange/@Innora
+
Research updates and announcements | 研究动态与公告
+ + +
+
+ + +
+

研究性质声明 / Research Nature Statement

+

+ 本研究基于公开渠道获取的 Android APK 文件(支付宝 v10.8.30.8000)进行静态反编译分析(jadx),未侵入任何受保护计算机系统。所有技术结论可通过对同版本 APK 执行相同分析流程独立验证。 +

+

+ This research is based on static decompilation analysis (jadx) of publicly available Android APK files (Alipay v10.8.30.8000). No protected computer systems were accessed. All technical findings are independently reproducible by applying the same analysis methodology to the same APK version. +

+

+ AI 辅助标识 / AI Assistance: 本页面使用 Claude 辅助文本整理,时间线事实记录由人工核实。
+ This page used Claude for text editing assistance. Timeline facts were manually verified. +

+

+ 许可协议 / License: CC BY-NC-SA 4.0  |  + 联系 / Contact: security@innora.ai +

+
+ +
+
Feng Ning (风宁)
+
Innora.ai  ·  CISSP  ·  Penang, Malaysia
+
"No Code is Done until it is Committed and Documented."
+
+ +
+ + + + + + +