I went looking for various GitHub projects to identify some Canonical/Ubuntu individuals who published an email address (of whatever nature).
I got a couple of hits and I want to share this one with everyone. His name is associated with
canonical/canonical.com
IMPORTANT: his own profile on GitHub does not identify him as Canonical, unlike many others who do, but he does use the expression “our IS teams” … so he might be, just not openly!!!
The extortion angle is the eye-catching part, but what’s stuck with me more is how thin Canonical’s own disclosure has been throughout this.
The official trail is basically: the May 1 Discourse post saying they’re under a “sustained, cross-border attack,” a spokesperson quote to The Register which linked to somewhere in the forums before, and a May 6 note saying services were restored. That’s it!
No attribution from Canonical, no acknowledgment, no peak traffic figures, no mention of mitigation specifics, and no post-incident write up.
For a DDoS that took the Ubuntu security API offline for the better part of a week, that feels light.
And what’s harder to shrug at is the operational posture. No CDN or WAF in front of the security API in 2026 is a choice. No comms during the incident is a choice. No post-mortem afterwards is a choice.
For a company that sells Ubuntu Pro on a security pitch, the silence is doing damage IMO. Hopefully more details this month.
Hopefully more details this month.
