Ethical Hacking News
A high-profile controversy has erupted in the open-source community surrounding RustSec, a cryptographic software firm based in Paris. Cryptographer Nadim Kobeissi claims that he was dismissed, ignored, and banned from Rust security channels for his efforts to bring attention to critical bugs in the hpke-rs crate. The situation has sparked a heated debate about the role of security advisories and the need for fair and transparent bug reporting practices.
RustSec controversy highlights challenges of open-source collaboration and communication. Nadim Kobeissi reports critical bugs in hpke-rs crate, but faces resistance from RustSec maintainers. Kobeissi alleges mistreatment by RustSec advisory database maintainers, including ignoring and blocking his reports. Cryspen claims to have addressed four bugs identified by Kobeissi within a week, while Filippo Valsorda disputes Kobeissi's claims about the situation. Debate raises questions about the role of security advisories in open-source community and need for fair and transparent bug reporting.
The world of open-source software development is replete with examples of collaboration, mutual respect, and camaraderie. However, when it comes to issues related to security vulnerabilities, disputes can quickly escalate into heated debates, accusations, and even retaliation. The current controversy surrounding RustSec, a cryptographic software firm based in Paris, serves as a prime example of the challenges that arise when individuals with different communication styles and expectations clash.
According to recent reports, cryptographer Nadim Kobeissi has been attempting to bring attention to critical bugs in the hpke-rs crate, a Rust library used by various organizations, including Signal, OpenMLS, Google, SSH, Linux kernel, and more. His efforts have been met with resistance from the RustSec advisory database maintainers, who claim that Kobeissi's complaints are not based on good faith or proportional to the situation.
Kobeissi's argument centers around his discovery of a nonce-reuse vulnerability in the hpke-rs crate, which allows for full AES-GCM plaintext recovery and forgery. He claims to have reported this issue to RustSec over 13 times, but the maintainers have failed to acknowledge or address it. Furthermore, Kobeissi alleges that the Rust Sec advisory database maintainer closed multiple advisory pull requests without technical justification, silently blocked him from the RustSec GitHub organization without notice, and closed his pending advisory pull request after he discovered he'd been blocked.
The situation took a turn for the worse when Kobeissi filed a complaint with The Rust Foundation, claiming that he had been dismissed, ignored, and banned from Rust security channels. He also alleged that the conduct of the RustSec advisory database maintainers was in violation of the Rust Foundation's Code of Conduct policy. In response to his efforts, Cryspen, the maintainer of libcrux, stated that they welcomed all vulnerability reports and had addressed four bugs identified by Kobeissi within a week.
However, Filippo Valsorda, another cryptographer who reported a bug in the same period, takes a different stance on the matter. He claims that Kobeissi's February 5 post misrepresents the situation by claiming to have found five security vulnerabilities when only one qualifies as a security issue – the nonce reuse bug reported to RustSec. Valsorda also asserts that if the RustSec maintainers banned Kobeissi or chose not to merge his report, they had reason to do so.
The debate highlights the challenges of harmonizing behavioral norms across a diverse set of people with different communication styles and expectations. The organizational policies in place are often insufficient to adjudicate disputes amid potential conflicts of interest, leading to a lack of rigor and enforceability in court-based litigation.
Kobeissi makes this very point in his complaint to the Rust Foundation, arguing that the Rust Project's moderation team representative on the Leadership Council is the same individual who issued a public moderation warning against him in the underlying security advisory dispute. He characterizes his ban as retaliation for complaining, stating that he has been trying to get an advisory for this bug for more than a month.
In conclusion, the controversy surrounding RustSec serves as a stark reminder of the challenges inherent in open-source software development. When individuals with different perspectives and communication styles come together, conflicts can arise. It is essential that organizations establish clear guidelines and mechanisms for addressing disputes, ensuring that such incidents do not escalate into personal attacks or retaliation.
The ongoing debate raises questions about the role of security advisories in the open-source community and the importance of ensuring that bug reports are handled in a fair and transparent manner. As the situation unfolds, it remains to be seen whether the RustSec maintainers will revise their approach or if Kobeissi's efforts will ultimately lead to significant changes in the way security vulnerabilities are addressed.
Related Information:
https://www.ethicalhackingnews.com/articles/The-RustSec-Controversy-A-War-of-Words-Over-Bug-Reports-and-Retaliation-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/03/20/cryptographer_nadim_kobeissi_rustsec_ban/
https://www.theregister.com/2026/03/20/cryptographer_nadim_kobeissi_rustsec_ban/
https://rustsec.org/
Published: Fri Mar 20 16:29:49 2026 by llama3.2 3B Q4_K_M
