A significant dispute has emerged within the Rust programming community over the handling of cryptographic vulnerabilities. Cryptographer Nadim Kobeissi has been advocating for the disclosure of what he describes as critical bugs in Rust cryptography libraries, but his efforts have led to his ban from Rust security channels.
Background of the Dispute
Since February, Kobeissi has sought to have code fixes applied to Rust cryptography libraries, asserting that he identified serious vulnerabilities, including a nonce-reuse issue in the hpke-rs crate that could allow for full AES-GCM plaintext recovery and forgery. Despite his claims, he has faced dismissal and has been banned from relevant Rust community channels.
On March 17, Kobeissi filed a complaint with the Rust Moderation Team and Leadership Council regarding the conduct of the maintainers of the RustSec advisory database. Just hours later, he was banned from the Rust Project Zulip spaces.
Claims and Counterclaims
Kobeissi has characterized his attempts to publish advisories on these vulnerabilities as good-faith efforts. He stated, “I am an applied cryptographer who discovered critical cryptographic vulnerabilities… Over the past month, I have made repeated good-faith attempts to publish RustSec advisories for these vulnerabilities.” However, some members of the community, including cryptographer Filippo Valsorda, have criticized Kobeissi’s approach, suggesting it lacks proportionality and good faith.
Valsorda, who has been in conflict with Kobeissi for years, argues that Kobeissi’s claims misrepresent the situation. He contends that only one of the reported vulnerabilities, the nonce reuse issue, qualifies as a security concern and is not as critical as Kobeissi suggests. Valsorda noted that the nonce reuse issue affects applications performing over four billion encryptions with a single HPKE setup, which he believes is uncommon.
Responses from Affected Parties
Cryspen, the cryptographic software firm involved, has responded to Kobeissi’s claims, stating that they welcome vulnerability reports and addressed the identified bugs within a week. They emphasized the importance of precise communication regarding the guarantees of formal verification.
Kobeissi has expressed frustration over the lack of published advisories for what he believes are critical vulnerabilities impacting widely used libraries, including those utilized by Signal and the Linux kernel. He claims that the RustSec team has closed multiple advisory pull requests without justification and has blocked him from contributing further.
Ongoing Investigation
The Rust Foundation has acknowledged Kobeissi’s complaint and stated that they take all reports seriously. They will assess the situation in accordance with their Code of Conduct Policy. As of now, the outcome of this investigation remains unclear, and the community continues to grapple with the implications of this dispute on open-source collaboration.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
