Cryptographer Nadim Kobeissi has been in a months-long dispute with RustSec advisory database maintainers and Cryspen, a cryptographic software firm, over what he claims are critical vulnerabilities in Rust cryptography libraries including hpke-rs. Kobeissi alleges a nonce-reuse vulnerability enabling full AES-GCM plaintext recovery affects libraries used by Signal, Google, and others, but says his advisory pull requests were closed without technical justification and he was silently banned from RustSec's GitHub. He has escalated complaints to the Rust Moderation Team, Leadership Council, and Rust Foundation, alleging conflicts of interest. Fellow cryptographer Filippo Valsorda disputes Kobeissi's characterization, arguing the nonce-reuse issue is not critical in practice and that Kobeissi's conduct amounts to harassment of open source maintainers. Cryspen says the bugs were addressed within a week and welcomes vulnerability reports. The dispute highlights broader challenges in open source governance, conflict of interest in moderation, and coordinated vulnerability disclosure norms.
Table of contents
The critical vulnerability of open source?Sort: