That being said, I think it probably makes sense to report all vulnerabilities in messaging apps used by the US. I’m assuming they’re not talking about bugs in WeChat or VKontakte.

I think it would make more sense to draw the line between vulnerabilities that only allow targeted exploitation (against a single device), and vulnerabilities that could allow for mass-exploitation. 🤷‍♂️ Cryptographic vulnerabilities can be either.

Why is it excellent policy? Do you mean they report vulnerabilities that don’t require active measures? 🤔

I really recommend reading the blog post though. It goes into detail on some of the engineering and security considerations that went into the design, as well as how the rollout is handled.

The triple ratchet extends the double ratchet with a second, sparse post-quantum ratchet called SPQR. SPQR is based on a chunked version of ML-KEM 768. The outputs from both are passed to a KDF to form a hybrid KEM.

This gives a whole new meaning to APT.

Excel is Turing complete. Just sayin.