|
Having worked on OpenSSL for many years, the absolute worst thing you can do is not respond to reported vulnerabilities. Even if it’s just an auto-reply that says “thanks we got it.” I also think it would be worth pointing out more strongly that we are interested in *protocol* errors, not *implementation* errors, and making that distinction clear. |
