rogueFed Looks like you can call your nearest family member on the phone and say "I'm on the news!": https://www.404media.co/someone-snuck-into-a-cellebrite-microsoft-teams-call-and-leaked-phone-unlocking-details/
I am sure you could have submitted to these people instead and they'd post it too. They've done it before with past posts here or GrayKey.
After thinking about it closer, I redacted the employee. They represent Cellebrite in a highly public fashion but to be honest it comes across as exceedingly petty. Likely the same view as the article author too? So we'd agree. Doesn't belong here.
GrapheneOS is concerned about the techniques being used in premium exploit tools and any developments circulating around them and GrapheneOS. The people who work on their businesses are not in our interests, because anyone can work there (they have hired security researchers soon after they stopped being teenagers, certainly unaware of the ethical issues). Good security strategy is creating defences for the most targeted components and countermeasures against strategies employed by these threat actors as a whole. The person involved means nothing.
Meanwhile, here is what Cellebrite said:
“We do not disclose or publicize the specific capabilities of our technology. This practice is central to our security strategy, as revealing such details could provide potential criminals or malicious actors with an unintended advantage.”
GrapheneOS, Google, Samsung, Apple and the greater mobile security community is neither a "potential criminal" or a "malicious actor". These authoritarian talking points are stale and come from the same playbook as "Think of the children" and other fallacy phrases meant to attack you as being a danger for something as simple as wanting to protect yourself. GrapheneOS protects users against criminals, from hackers, abusers, stalkers and corrupt up to the most capable and wealthy in business and government.
These companies do not engage in ethical practices and virtues that make you a trustworthy member of the security community, like responsible disclosure. A software developer is entitled to know that their software is being or is attempted to be exploited by a wealthy, influential threat actor. What we do against these groups is an act of self-defence. Not trying to do anything about it is complicity against the use of these tools to violate people's basic human rights. Despite the amount of controls they claim to make on their products, they still cant combat illicit use of it, as seen in Serbia. At the bare minimum, single illicit use of these tools anywhere in the world immediately makes their exploit a cyberweapon that must be neutralised. Them being an exploit alone is the only justification we need to seek disrupting these threat actors' work.