TheRegister's platform is a leading technology news website, offering insights into IT industry news, hardware reviews, and software updates. Through articles, analysis, and opinion pieces, TheRegister offers insights into cybersecurity threats, technology trends, and industry developments. Readers can stay updated with the latest news and analysis from the world of technology and IT business.

The Register

Cryptographer Nadim Kobeissi has been in a months-long dispute with RustSec advisory database maintainers and Cryspen, a cryptographic software firm, over what he claims are critical vulnerabilities in Rust cryptography libraries including hpke-rs. Kobeissi alleges a nonce-reuse vulnerability enabling full AES-GCM plaintext recovery affects libraries used by Signal, Google, and others, but says his advisory pull requests were closed without technical justification and he was silently banned from RustSec's GitHub. He has escalated complaints to the Rust Moderation Team, Leadership Council, and Rust Foundation, alleging conflicts of interest. Fellow cryptographer Filippo Valsorda disputes Kobeissi's characterization, arguing the nonce-reuse issue is not critical in practice and that Kobeissi's conduct amounts to harassment of open source maintainers. Cryspen says the bugs were addressed within a week and welcomes vulnerability reports. The dispute highlights broader challenges in open source governance, conflict of interest in moderation, and coordinated vulnerability disclosure norms.

Cryptographer fights RustSec ban over bug reports

The critical vulnerability of open source?