验证:Verify: Docker 37/37 | Zenodo DOI | IACR 2026/526 | Packet Storm
最后更新: 2026-03-25Last updated: 2026-03-25
独立安全研究 · 审查事件记录 Independent Security Research · Censorship Record

Innora AI Security Research  |  Jiqiang Feng (风宁)  |  2026-03-15

当"网络安全法"成为审查武器

一个安全研究者对抗企业压制的全球记录

9篇微信安全研究文章被分三波删除。36份报告已提交MITRE。IACR学术论文已收录。22个国家的监管机构正在调查。真相不需要删除通知。 9 WeChat security research articles deleted in 3 waves. 36 reports filed with MITRE. IACR paper published. 22 countries investigating. Truth needs no takedown notice.

[email protected] [email protected] 2026-03-15 · 世界消费者权益日 2026-03-15 · World Consumer Rights Day 完整技术报告 → Full Technical Report → Packet Storm #217089 →
4
文章被删Deleted
17
已验证漏洞Verified Vulns
308
服务器日志Exfil Logs
38+
机构回应Institutions
6
CVE待分配CVEs Pending
完整技术报告 innora.ai/zfb/ Full Technical Report innora.ai/zfb/ Packet Storm Advisory #217089 GitHub: sgInnora/alipay-deeplink-research

序言 Prologue 删除不了的真相 Truth Cannot Be Deleted

2026年3月15日至3月25日,我的微信公众号"AI-security-innora"共9篇安全研究文章被分三波强制删除 Between March 15 and March 25, 2026, a total of 9 security research articles were force-deleted in three waves from my WeChat Official Account "AI-security-innora."

删除通知原文:"接相关投诉,以下文章被判断为违反《中华人民共和国网络安全法》,已删除。"处理依据:"相关法律法规"。没有指明具体条款。没有指明投诉方。没有申诉渠道。 The exact wording of the deletion notice: "Received related complaint. The following article has been determined to violate the Cybersecurity Law of the People's Republic of China and has been deleted." Basis: "related laws and regulations." No specific article. No identified complainant. No appeal channel.

通知只说了"接相关投诉"——没有指明投诉方是谁。没有案件编号。没有联系方式。连你被谁告了都不告诉你。 The notice only said "received related complaint" — without identifying who filed it. No case number. No contact information. They do not even tell you who accused you.

删除通知截图(原始证据) Deletion Notice Screenshots (Original Evidence)

WeChat deletion notice - articles 1 and 2

微信公众平台安全助手通知 — 文章1和2 WeChat Platform Safety Assistant — Articles 1 and 2

WeChat deletion notice - articles 3 and 4

微信公众平台安全助手通知 — 文章3和4 WeChat Platform Safety Assistant — Articles 3 and 4

注意通知措辞:"接相关投诉" — 不指明投诉方。"相关法律法规" — 不指明具体条款。没有申诉渠道。此前以"名誉侵权"为由的投诉已被平台驳回(单号4285****65)。此后文章被以"违反《网络安全法》"为由删除——三波共9篇,平台未再进行独立审核。 Note the wording: "Received related complaint" — complainant unidentified. "Related laws and regulations" — no specific article cited. No appeal channel. A complaint citing "reputation infringement" was rejected earlier (Case #4285****65, filed by Beijing Geyun Law Firm on behalf of Ant Group). Subsequently, articles were deleted citing "violation of the Cybersecurity Law" — 9 articles across three waves, with no independent review by the platform.

讽刺的是,4天前,针对同样内容的一份投诉已经被微信平台审核驳回(北京格韵律师事务所提交,投诉单号4285****65)。微信平台的裁定是:"未能核实判断被投诉内容侵权,对本次投诉暂不予支持。"而这次,连投诉方是谁都不告诉你,文章就直接消失了。 The irony: four days earlier, a complaint about the same content — filed by Beijing Geyun Law Firm — had been reviewed and rejected by WeChat (Case #4285****65). WeChat's ruling: "Unable to verify infringement; complaint not supported." This time, you are not even told who filed the complaint. The articles simply vanish.

第一次用"名誉侵权"——失败。第二次换"网络安全法"——成功。 First attempt using "reputation infringement" — failed. Second attempt invoking "Cybersecurity Law" — succeeded.

这不是法律的胜利。这是法律被武器化的证据。 This is not a victory of law. This is evidence of law being weaponized.

第一部分 Part 1 事实:17个漏洞、308条日志、42张截图 The Facts — 17 Vulnerabilities, 308 Logs, 42 Screenshots

2026年2月25日至3月7日,我向一个日活超过10亿用户的国民级支付应用提交了4轮安全漏洞报告,发现17个安全漏洞,CVSS评分从7.4到9.3。核心发现是一条完整的攻击链: Between February 25 and March 7, 2026, I submitted four rounds of vulnerability reports to a payment application with over 1 billion daily active users. I identified 17 security vulnerabilities with CVSS scores ranging from 7.4 to 9.3. The core finding was a complete attack chain:

ds.alipay.com 开放重定向 (CVSS 9.3) → DeepLink URL Scheme绕过 (CVSS 9.1) → JSBridge特权API无授权调用 ds.alipay.com Open Redirect (CVSS 9.3) → DeepLink URL Scheme Bypass (CVSS 9.1) → Unauthorized JSBridge Privileged API Access

这条链的效果:攻击者构造一条恶意链接,通过WhatsApp/微信/短信发送给任何用户。用户点击后,攻击者可以—— The chain's impact: an attacker crafts a single malicious link, sent via WhatsApp/WeChat/SMS to any user. Upon clicking, the attacker gains the ability to:

这些不是理论推测。308条服务器交互日志记录了每一次数据外传。42张全链路截图标记了每个关键步骤。3台设备在3个国家完成了独立复现——新西兰奥克兰的Samsung S25 Ultra、马来西亚槟城的Redmi、以及厂商自家安全负责人在杭州总部使用的iPhone 16 Pro。 These are not theoretical claims. 308 server interaction logs document every data exfiltration event. 42 full-chain screenshots mark each critical step. 3 devices across 3 countries independently reproduced the findings — a Samsung S25 Ultra in Auckland, New Zealand; a Redmi in Penang, Malaysia; and the vendor's own security lead's iPhone 16 Pro at Hangzhou headquarters.

17
已验证安全漏洞 CVSS 7.4–9.3Verified vulnerabilities CVSS 7.4–9.3
308
数据外传服务器日志Data exfiltration server logs
42
全链路证据截图Full-chain evidence screenshots
3
3国3设备独立复现Independent repro across 3 countries

2026年3月7日,在一通23分钟的语音通话中(全程录音),厂商安全负责人口头承认了漏洞的严重性。他亲口说:"如果你能绕过我们的白名单,那确实是很严重的问题。" On March 7, 2026, during a 23-minute phone call (fully recorded), the vendor's security lead verbally acknowledged the severity. His exact words: "If you can bypass our whitelist, that would indeed be a serious issue."

11分钟后,白名单被绕过。 Eleven minutes later, the whitelist was bypassed.

3月10日,厂商的最终答复:"经过我们安全工程师审核,这些属于正常功能。" March 10, the vendor's final response: "Based on our security engineers' assessment, these constitute normal functionality."

第二部分 Part 2 审查升级:从驳回到全面删除 Escalating Censorship — From Rejection to Total Deletion

时间线本身就是最有力的证据。 The timeline itself is the most powerful evidence.

3月11日 18:16 / Mar 11, 18:16

研究报告公开发布至独立博客 innora.ai/zfb/Research report publicly disclosed at independent blog innora.ai/zfb/

3月11日 22:45 / Mar 11, 22:45

公开发布4小时29分钟后,北京格韵律师事务所提交"名誉侵权"投诉4 hours 29 minutes after disclosure, Beijing Geyun Law Firm files "reputation infringement" complaint

3月12日 / Mar 12

微信平台驳回投诉(投诉单号 4285****65)— 裁定:不构成侵权WeChat platform rejects the complaint (Complaint #4285****65) — Ruling: no infringement found

3月12日 / Mar 12

Packet Storm Security 收录publishes Advisory #217089  ·  6个CVE提交MITRE (Ticket #2005801)6 CVEs submitted to MITRE (Ticket #2005801)

3月12–14日 / Mar 12–14

189封邮件发送至22个国家的约160个监管机构、CERT、媒体189 emails sent to ~160 regulators, CERTs, and media across 22 countries

3月15日 / Mar 15 — WORLD CONSUMER RIGHTS DAY

4篇文章全部被删除,依据"相关法律法规",投诉方匿名All 4 articles force-deleted, citing "related laws," complainant anonymous

3月15-19日 / Mar 15-19

研究员继续发表4篇新文章,涵盖IACR论文收录、SecurityGuard SDK逆向、1095个APP监控名单、向网信办举报等Researcher publishes 4 new articles covering IACR paper acceptance, SecurityGuard SDK RE, 1095-app surveillance list, and formal CAC complaint

3月19-20日 / Mar 19-20

6个新报告提交MITRE (Batch-1 + Batch-2),总计18个报告。IACR论文收录 (eprint.iacr.org/2026/526)6 new reports filed with MITRE (Batch-1 + Batch-2), total 18 reports. IACR paper published (eprint.iacr.org/2026/526)

2026-03-21: 发现WiFi RTT 9层室内定位系统,146,173个PatchProxy热替换点。补充证据发送至30+机构。AntSRC回复称漏洞"无法实际利用",但IACR论文和11个PoC已证明可利用性。2026-03-21: Discovered WiFi RTT 9-layer indoor positioning system with 146,173 PatchProxy hot-replacement points. Supplemental evidence sent to 30+ agencies. AntSRC responded claiming vulnerabilities "cannot be practically exploited" — contradicted by IACR paper and 11 verified PoCs.

3月23日 / Mar 23

Batch-3 + Batch-4: 18个新报告提交MITRE,总计36个报告覆盖10个ticket。Docker验证环境发布 (37项自动检查全部通过)。证据存档至IPFS。Zenodo DOI确权 (10.5281/zenodo.19186848)。Batch-3 + Batch-4: 18 new reports filed with MITRE, total 36 reports across 10 tickets. Docker verification environment published (37 automated checks, all passing). Evidence archived to IPFS. Zenodo DOI assigned (10.5281/zenodo.19186848).

3月20日 / Mar 20 — SECOND WAVE

又4篇新文章全部被删(总计8篇),同样援引"相关法律法规",仍不指明具体条款和投诉方4 MORE new articles force-deleted (8 total), again citing "related laws and regulations," still no specific article or complainant identified

被删除的9篇文章 The 9 Deleted Articles

  1. 《当白名单绕过沦为全网攻击的钥匙,傲慢的终点是法庭与溯源调查》"When Whitelist Bypass Becomes the Master Key to Full-Network Attack"
  2. 《巨头的"封口令"被微信驳回,而全球顶级黑客弹药库给出了最终裁决》"Tech Giant's 'Gag Order' Rejected by WeChat, Packet Storm Delivers Final Verdict"
  3. 《位置被秒偷!10多亿人每天在用的国民支付应用,17个「正常功能」细思极恐!》"Location Stolen Instantly! 17 'Normal Features' in the App 1 Billion People Use Daily"
  4. 《支付宝安全研究遭律师函投诉——一篇零次提及"支付宝"的文章如何构成"商誉侵权"?》"Alipay Research Hit with Lawyer's Letter — How Does an Article That Never Mentions 'Alipay' Constitute Reputation Infringement?"
  5. WAVE 2 (March 20):
  6. 《支付宝公关忙着删帖,我已经发论文拿到了全球最顶级密码学的入场券》"While Alipay's PR Team Deletes Posts, I've Published a Paper Accepted by the World's Top Cryptography Archive"
  7. 《竞品监控还是用户监控?支付宝代码里暗藏1095个APP"监控名单":你装的微信、银行、京东,它全知道》"Competitor Surveillance or User Surveillance? 1095 Apps in Alipay's Hidden Monitoring List"
  8. 《我以中国公民身份,向网信办正式举报了支付宝》"As a Chinese Citizen, I Formally Reported Alipay to the Cyberspace Administration of China"
  9. 《支付宝需要监控你的截屏、蓝牙和通话吗?一次完整的逆向工程分析》"Does Alipay Need to Monitor Your Screenshots, Bluetooth, and Phone Calls? A Complete Reverse Engineering Analysis"
  10. WAVE 3 (March 25):
  11. 《支付宝146,173个方法可被远程替换——PatchProxy热修复的代码级铁证》"Alipay's 146,173 Remotely Replaceable Methods — PatchProxy Hot-Patching Code-Level Evidence"

删除通知截图(原始证据) Deletion Notice Screenshots (Original Evidence)

WeChat deletion notice - articles 1 and 2

微信公众平台安全助手通知 — 文章1和2 WeChat Platform Safety Assistant — Articles 1 and 2

WeChat deletion notice - articles 3 and 4

微信公众平台安全助手通知 — 文章3和4 WeChat Platform Safety Assistant — Articles 3 and 4

注意通知措辞:"接相关投诉" — 不指明投诉方。"相关法律法规" — 不指明具体条款。没有申诉渠道。此前以"名誉侵权"为由的投诉已被平台驳回(单号4285****65)。此后文章被以"违反《网络安全法》"为由删除——三波共9篇,平台未再进行独立审核。 Note the wording: "Received related complaint" — complainant unidentified. "Related laws and regulations" — no specific article cited. No appeal channel. A complaint citing "reputation infringement" was rejected earlier (Case #4285****65, filed by Beijing Geyun Law Firm on behalf of Ant Group). Subsequently, articles were deleted citing "violation of the Cybersecurity Law" — 9 articles across three waves, with no independent review by the platform.

注意第4篇的标题:一篇零次提及"支付宝"的文章,在第一次投诉中(投诉单号4285****65)以"商誉侵权"为由被投诉。投诉本身就暴露了投诉方的身份——如果文章没有提到你,你怎么知道说的是你? Note Article 4's title: an article that mentioned "Alipay" zero times was targeted in the first complaint (Case #4285****65) for "reputation infringement." The complaint itself reveals the complainant's identity — if the article doesn't mention you, how do you know it's about you?

第三波删除通知截图 (3月25日) Wave 3 Deletion Notice Screenshot (March 25)

WeChat deletion notice - Wave 3, article 9

微信公众平台安全助手通知 — Vol.04 PatchProxy (第9篇) WeChat Platform Safety Assistant — Vol.04 PatchProxy (Article #9)

关键矛盾:第三波删除发生在2026年3月25日——同一天,中国网信办数据局正式确认正在组织对支付宝App进行核查。网络安全最高执法机构核查支付宝的同日,揭露支付宝安全问题的文章被以"网络安全法"名义删除。此外,删除通知明确引用"违反《中华人民共和国网络安全法》",与前两波模糊的"相关法律法规"不同。 Critical contradiction: Wave 3 occurred on March 25, 2026 — the same day China's CAC Data Bureau formally confirmed it was investigating Alipay's data practices. An article exposing Alipay's security issues was deleted under "Cybersecurity Law" on the same day the nation's top cybersecurity enforcement agency began investigating the company. Notably, this deletion notice explicitly cited "violation of the Cybersecurity Law of the PRC," a more specific legal basis than the vague "related laws and regulations" used in Waves 1 and 2.

第二波删除通知截图 (3月20日) Wave 2 Deletion Notice Screenshots (March 20)

WeChat Wave 2 deletion notice - articles 5 and 6

第二波删除通知 — 文章5和6 (IACR论文 + 1095个APP监控名单) Wave 2 Deletion Notice — Articles 5 and 6 (IACR Paper + 1095-App Surveillance List)

WeChat Wave 2 deletion notice - articles 7 and 8

第二波删除通知 — 文章7和8 (向网信办举报 + 逆向工程分析) Wave 2 Deletion Notice — Articles 7 and 8 (CAC Complaint + Reverse Engineering Analysis)

第二波审查要点:这4篇文章发布于3月15日首波审查之后。研究员在文章被删后继续发表新研究,蚂蚁集团再次通过相同机制删除。这证明这不是一次性事件,而是持续的、系统性的审查行动。值得注意的是:其中一篇文章记录了研究员向中国网信办的正式举报——举报蚂蚁的文章也被以蚂蚁的投诉删除了。 Wave 2 Key Points: These 4 articles were published AFTER the first wave of censorship on March 15. The researcher continued publishing new findings; Ant Group responded by deleting again via the same mechanism. This proves this is not an isolated incident but a sustained, systematic censorship campaign. Notably, one deleted article documented the researcher's formal complaint to China's Cyberspace Administration (CAC) about Alipay — the article reporting Ant Group to regulators was itself deleted at Ant Group's request.

升级路径清晰可见: The escalation pattern is unmistakable:

口头否认漏洞 → 律师函投诉"名誉侵权"(被驳回)→ 改用"网络安全法"(第一波:删4篇)→ 研究员继续发表 → 再次删除(第二波:再删4篇)→ 网信办核查同日再删1篇(第三波)→ 服务器端拦截PoC Verbal denial → Lawyer letter citing "reputation infringement" (rejected) → Switch to "Cybersecurity Law" (Wave 1: 4 articles deleted) → Researcher continues publishing → Second deletion (Wave 2: 4 more deleted) → CAC investigation same day, 1 more deleted (Wave 3) → Server-side PoC interception

2026-03-25

第三波:网信办核查同日删除 — Vol.04《支付宝146,173个方法可被远程替换——PatchProxy热修复的代码级铁证》被删除。删除理由明确引用"违反《中华人民共和国网络安全法》"。同一天(3月25日),中国网信办数据局正式通知研究员,正在组织对支付宝App进行核查。揭露支付宝安全问题的文章被以"网络安全法"名义删除,与网络安全最高执法机构的调查行动形成直接矛盾。 Wave 3: Deletion on Same Day as CAC Investigation — Vol.04 "Alipay's 146,173 Remotely Replaceable Methods — PatchProxy Hot-Patching" was deleted. The deletion notice explicitly cited "violation of the Cybersecurity Law of the PRC." On the same day (March 25), China's CAC Data Bureau formally notified the researcher that it was conducting an investigation into Alipay's data practices. An article exposing Alipay's security issues was deleted under "Cybersecurity Law" while the nation's top cybersecurity enforcement agency was simultaneously investigating the same company.

第三部分 Part 3 法律的两张面孔 Two Faces of Law

中国:网络安全法的武器化 China: Weaponization of Cybersecurity Law

2026年1月1日生效的《网络安全法》修正案将原第26条改为第28条,规定:未经授权开展网络安全认证、检测、风险评估活动,或发布系统漏洞等网络安全信息,可被处以最高100万元人民币罚款(约14万美元),并可被责令停业整顿、关闭网站、吊销营业执照。 China's amended Cybersecurity Law (effective January 1, 2026) renumbered Article 26 to Article 28, stipulating: conducting unauthorized cybersecurity certification, testing, or risk assessment, or publishing cybersecurity information including system vulnerabilities, may result in fines up to RMB 1 million (~$140,000 USD), with authorities empowered to order business suspension, website shutdown, or license revocation.

但请注意:这条法律的本意是规范漏洞披露流程,要求研究者先向工信部(MIIT)报告,不得在厂商修补前公开。它从来不是一个"删除安全研究文章"的工具。 But note: this law's intent is to regulate vulnerability disclosure processes, requiring researchers to report to MIIT first, and prohibiting publication before vendor patches. It was never designed as a tool for "deleting security research articles."

在本案中:In this case:

网络安全法第28条不适用于此场景。它被用来作为一个无法被质疑的"核武器"——因为在中国的平台审核体系中,引用"网络安全法"几乎等于自动执行,无需实质审查。 Article 28 does not apply to this scenario. It was wielded as an unquestionable "nuclear option" — because in China's platform moderation system, invoking "Cybersecurity Law" triggers near-automatic enforcement without substantive review.

欧盟:吹哨人保护指令 EU: Whistleblower Protection Directive

在世界的另一边,完全相反的法律框架保护着同样的行为。 On the other side of the world, an entirely opposite legal framework protects the exact same conduct.

EU Whistleblower Directive 2019/1937

  • 第19条: 成员国应禁止对举报人的任何报复行为Article 19: Member States shall prohibit any form of retaliation against reporting persons
  • 第21条: 报复行为包括——解雇、降级、骚扰、负面推荐、列入黑名单、业务抵制Article 21: Retaliation includes dismissal, demotion, harassment, negative references, blacklisting, business boycotting
  • 第22条: 受害者有权通过司法或行政程序获得物质和精神损害赔偿Article 22: Victims are entitled to material and non-material damage compensation through judicial/administrative procedures
  • 第23条: 成员国应对实施报复的自然人和法人制定有效、相称和具有威慑力的处罚Article 23: Member States shall lay down effective, proportionate and dissuasive penalties for perpetrators of retaliation

Alipay的欧洲实体——Alipay (Europe) Limited S.A.(CSSF编号W000****09,卢森堡RCS B188095)——持有电子货币机构(EMI)牌照,受CSSF直接监管。 Alipay's European entity — Alipay (Europe) Limited S.A. (CSSF No. W000****09, Luxembourg RCS B188095) — holds an Electronic Money Institution (EMI) license under direct CSSF supervision.

2025年5月,CSSF已经因反洗钱(AML)违规对其处以€214,000罚款——涉及6起可疑交易报告未提交、制裁警报延迟、KYC文件缺失。 In May 2025, CSSF had already fined it €214,000 for AML violations — involving 6 unreported suspicious transaction reports, delayed sanction alerts, and missing KYC documentation.

2026年3月13日,我向CSSF Whistleblowing团队提交了安全漏洞报告。案件编号:[Case Ref Redacted]。CSSF的ICT Risk监管部门和Whistleblowing团队双重确认收到 On March 13, 2026, I submitted the security vulnerability report to CSSF's Whistleblowing team. Case number: [Case Ref Redacted]. Both CSSF's ICT Risk Supervision and Whistleblowing teams confirmed receipt.

跨境删除内容是否构成EU法下的"报复"?这是一个前沿法律问题。但根据Directive第21条的广义定义——"任何直接或间接导致举报人遭受不利待遇的行为"——通过律师事务所在中国平台删除安全研究文章,完全可以被论证为报复行为 Does cross-border content deletion constitute "retaliation" under EU law? This is a frontier legal question. But under Article 21's broad definition — "any action that causes unjustified detriment" — using a law firm to delete security research articles on Chinese platforms can be argued as retaliatory conduct.

第四部分 Part 4 全球回响:38个机构的回答 Global Echo — Responses from 38 Institutions

如果这些漏洞真的是"正常功能",为什么全球38个机构做出了回应? If these vulnerabilities are truly "normal functionality," why did 38 global institutions respond?

金融监管机构(16个回复) Financial Regulators (16 responses)

机构Institution 国家Country 行动Action
HKMA 香港金融管理局HK Monetary Authority 香港Hong Kong 正式投诉立案Formal complaint filed CE202603****5412
PDPC 个人数据保护委员会Personal Data Protection Commission 新加坡Singapore 正式隐私违规调查Formal privacy investigation #006****24
CSSF 金融监管委员会Financial Sector Supervisory Commission 卢森堡Luxembourg Whistleblowing [Case Ref Redacted]
FCA 金融行为监管局Financial Conduct Authority 英国UK Whistleblowing团队确认收到Whistleblowing team confirmed receipt
OAIC 信息专员办公室Office of the Australian Information Commissioner 澳大利亚Australia Intake团队确认收到Intake team confirmed receipt
EDPB 欧洲数据保护委员会European Data Protection Board 欧盟EU 跨境数据保护投诉确认收到Cross-border data protection complaint confirmed
FMA 金融市场管理局Financial Markets Authority 新西兰New Zealand 确认收到,正在评估Confirmed receipt, assessing
ANSSI 网络安全局National Cybersecurity Agency 法国France 确认收到,已转交相关部门Confirmed, forwarded to relevant dept
CIRCL 国家CERTNational CERT 卢森堡Luxembourg [CIRCL Case #XXXXX],已代联Alibaba SRC, coordinating with Alibaba SRC
DNB 荷兰央行De Nederlandsche Bank 荷兰Netherlands 确认收到,转info@监管通道Confirmed, forwarded to regulatory channel
BNM 国家银行Bank Negara Malaysia 马来西亚Malaysia 确认收到Confirmed receipt BNM:0001****9160
OJK 金融监管局Financial Services Authority 印尼Indonesia 要求补充说明Requested additional details L260****304

平台方(5个回复) Platforms (5 responses)

平台Platform 行动Action
Apple Product Security 正式调查Formal investigation OE0105****3014
Google Play 政策违规审查Policy violation review #9-7515****0640
Packet Storm Security 已发布Published Advisory #217089
MITRE CVE 6个CVE受理6 CVEs received Ticket #2005801
PayPal 确认收到Confirmed receipt

媒体与社区(7+个回复) Media and Community (7+ responses)

Help Net Security、Tech in Asia、The Information等媒体确认收到。Reddit r/netsec社区已发帖。独立安全研究者在GitHub上独立复现了发现。 Help Net Security, Tech in Asia, The Information and others confirmed receipt. Posted on Reddit r/netsec. Independent security researchers reproduced findings on GitHub.

总计:189封邮件,22个国家,38+个回复,多个正式调查启动。 Total: 189 emails, 22 countries, 38+ responses, multiple formal investigations launched.

第五部分 Part 5 全球模式:安全研究者被打压不是个案 Global Pattern — Researcher Suppression Is Not Isolated

disclose.io Research Threats Database 记录了过去25年中 80+起安全研究者遭受法律威胁的案例。模式惊人地相似: The disclose.io Research Threats Database documents 80+ cases of legal threats against security researchers over 25 years. The patterns are strikingly similar:

案例Case 年份Year 国家Country 打压模式Suppression Pattern
Columbus, Ohio vs Connor Goodwolf 2024 美国USA 研究者报告勒索软件数据泄露 → 被申请禁止令+$25K赔偿Researcher reports ransomware breach → injunction + $25K demanded
NEWAG vs Dragon Sector 2023–24 波兰Poland 研究者发现火车DRM → 被起诉版权侵权(SLAPP诉讼)Train DRM research → SLAPP copyright lawsuit
Modern Solution GmbH 2024 德国Germany 程序员报告漏洞 → 被刑事起诉,罚款€3,000Programmer reports vuln → criminal prosecution, €3,000 fine
FreeHour vs CS Students 2023 马耳他Malta 4名学生报告漏洞 → 被逮捕、脱衣搜身4 students report vuln → arrested, strip-searched
Arm Ltd vs Maria Markstedter 2023 英国UK 研究者域名被投诉下线Researcher's domain taken offline via complaint
Apple vs Denis Tokarev 2021 美国USA DMCA武器化删除GitHub漏洞文档DMCA weaponized to remove GitHub vulnerability docs

本案的独特特征 What Makes This Case Unique

这可能是全球第一例——在投诉被平台驳回后,通过一个匿名投诉、引用不同法律依据成功删除内容的记录案例——没有指明投诉方,没有申诉渠道。 This may be the first documented case where after a complaint was rejected by a platform, articles were subsequently deleted through an anonymous complaint citing a different legal basis — with no identified complainant and no appeal process.

不管是谁提交的第二次投诉,结果都一样恐怖:一次被驳回的投诉,只需要换一个法律依据就能绕过平台审核,实现内容删除。这个系统没有纠错机制。 Regardless of who filed the second complaint, the result is equally terrifying: a rejected complaint can bypass platform review simply by citing a different legal basis, achieving content deletion. This system has no error-correction mechanism.

第六部分 Part 6 对比的荒谬 The Absurdity of Contrast

同一份技术研究报告。同样的17个漏洞。同样的308条日志和42张截图。 The same technical research report. The same 17 vulnerabilities. The same 308 logs and 42 screenshots.

维度Dimension 国际社会International 中国平台Chinese Platform
漏洞定性Classification CVSS 9.3, 6个CVE待分配6 CVEs pending "正常功能""Normal functionality"
内容状态Content Status 公开存档 (Packet Storm/GitHub/innora.ai)Publicly archived (Packet Storm/GitHub/innora.ai) 强制删除Force-deleted
法律定性Legal Status ISO 29147合规披露 + EU吹哨人保护ISO 29147-compliant disclosure + EU whistleblower protection "违反网络安全法""Violates Cybersecurity Law"
厂商回应Vendor Response Apple/Google启动调查Apple/Google launched investigations 律师函 + 删帖Lawyer's letter + content deletion
监管态度Regulatory Response 16个机构正式回复/立案16 institutions formally responded/filed 沉默Silence
研究者待遇Researcher Treatment Packet Storm认证 + CVE编号Packet Storm recognition + CVE assignment 内容审查Content censored

相同的事实,在太平洋的两岸获得了完全相反的法律待遇。 Identical facts receive diametrically opposite legal treatment on two sides of the Pacific.

在卢森堡,向CSSF报告金融机构的安全漏洞是受法律保护的吹哨行为 ([Case Ref Redacted])。在中国,发表相同内容是"违反网络安全法"。 In Luxembourg, reporting a financial institution's security vulnerabilities to CSSF is legally protected whistleblowing ([Case Ref Redacted]). In China, publishing the same content is "violating the Cybersecurity Law."

卢森堡的 Alipay (Europe) Limited S.A. 已经因为合规失败被罚了€214,000。而在中国,揭示其母公司应用安全问题的研究者被审查。 Luxembourg's Alipay (Europe) Limited S.A. has already been fined €214,000 for compliance failures. In China, the researcher revealing its parent company's application security issues gets censored.

第七部分 Part 7 寒蝉效应与真正的网络安全威胁 Chilling Effect and the Real Cybersecurity Threat

删除安全研究文章不会让漏洞消失。 Deleting security research articles does not make vulnerabilities disappear.

截至今天,这条CVSS 9.3的攻击链仍然公开存档在三个独立节点: As of today, this CVSS 9.3 attack chain remains publicly archived on three independent nodes:

  1. Packet Storm Security — Advisory #217089
  2. GitHubsgInnora/alipay-deeplink-research
  3. innora.ai/zfb/独立镜像(本站)Independent mirror (this site)

删除微信文章唯一的效果是:让中国用户无法了解他们正在使用的应用存在的安全风险。 The only effect of deleting WeChat articles: Chinese users are denied knowledge of the security risks in the application they use daily.

删除通知截图(原始证据) Deletion Notice Screenshots (Original Evidence)

WeChat deletion notice - articles 1 and 2

微信公众平台安全助手通知 — 文章1和2 WeChat Platform Safety Assistant — Articles 1 and 2

WeChat deletion notice - articles 3 and 4

微信公众平台安全助手通知 — 文章3和4 WeChat Platform Safety Assistant — Articles 3 and 4

注意通知措辞:"接相关投诉" — 不指明投诉方。"相关法律法规" — 不指明具体条款。没有申诉渠道。此前以"名誉侵权"为由的投诉已被平台驳回(单号4285****65)。此后文章被以"违反《网络安全法》"为由删除——三波共9篇,平台未再进行独立审核。 Note the wording: "Received related complaint" — complainant unidentified. "Related laws and regulations" — no specific article cited. No appeal channel. A complaint citing "reputation infringement" was rejected earlier (Case #4285****65, filed by Beijing Geyun Law Firm on behalf of Ant Group). Subsequently, articles were deleted citing "violation of the Cybersecurity Law" — 9 articles across three waves, with no independent review by the platform.

这创造了一个荒谬的悖论:全世界的安全研究者、监管机构、甚至厂商的竞争对手(Apple、Google已启动调查)都知道这些漏洞——唯独受影响最大的10亿中国用户被蒙在鼓里。 This creates an absurd paradox: security researchers, regulators, and even the vendor's competitors worldwide (Apple and Google have launched investigations) all know about these vulnerabilities — except for the 1 billion Chinese users most affected, who are kept in the dark.

这才是真正的网络安全威胁。不是安全研究者披露漏洞。而是企业利用法律阻止漏洞被修复。 This is the real cybersecurity threat. Not security researchers disclosing vulnerabilities. But corporations using law to prevent vulnerabilities from being fixed.

第八部分 Part 8 我们的立场 Our Position

我以CISSP认证安全专家的身份,以Innora AI安全研究团队创始人的身份,声明以下立场: As a CISSP-certified security professional and founder of Innora AI Security Research, I state the following position:

第九部分 Part 9 致全球安全研究社区 To the Global Security Research Community

这不仅仅是一个关于支付宝漏洞的故事。这是一个关于安全研究者在2026年面临的系统性威胁的故事。 This is not merely a story about Alipay vulnerabilities. This is a story about the systemic threats security researchers face in 2026.

当一家千亿级企业可以在投诉被驳回后,仅仅通过更换法律条款就实现内容删除——没有任何研究者是安全的。 When a hundred-billion-dollar corporation can achieve content deletion simply by switching legal grounds after its complaint is rejected — no researcher is safe.

当"网络安全法"可以被用来删除安全研究而非保护网络安全——法律本身已经成为安全漏洞。 When "Cybersecurity Law" can be used to delete security research rather than protect cybersecurity — the law itself has become a security vulnerability.

我们需要:We need:

附录 Appendix 关键案件编号 Key Case Numbers

编号ID 类型Type 状态Status
Packet Storm #217089 Advisory 已发布Published
MITRE Ticket #2005801 6x CVE申请6x CVE request 待分配Pending
HKMA CE202603****5412 SVF投诉SVF Complaint 立案Filed
PDPC #006****24 隐私调查Privacy Investigation 调查中Investigating
CSSF [Case Ref Redacted] Whistleblowing 已受理Received
FCA UK Whistleblowing 已确认Confirmed
Apple OE0105****3014 产品安全Product Security 调查中Investigating
Google Play #9-7515****0640 政策违规Policy Violation 调查中Investigating
CIRCL [CIRCL Case #XXXXX] CERT协调CERT Coordination 进行中In Progress
WeChat #4285****65 侵权投诉Infringement Complaint 第一次驳回 → 第二次删除First rejected → Second: deleted
完整技术报告 Full Technical Report Packet Storm #217089 GitHub Repo
#SecurityResearch #VulnerabilityDisclosure #Censorship #CybersecurityLaw #WhistleblowerProtection #Alipay #AntGroup #PacketStorm #CVE #MITRE #CSSF #HKMA #FreeSpeech #ResearcherRights #InfoSec