Nadim Kobeissi
@nadim.computer
Applied cryptographer. Mainly working in the cryptography auditing industry, but sometimes venturing back into academia. Hobbyist puzzle game author. https://nadim.computer
Cryspen merged my fixes yesterday via the CEO closing my fix PRs then copy-pasting my code and merging it under his own name.
It's day five and they still haven't issued a security advisory for any of the five bugs reported, of which they've fixed four.
Who's putting the community at risk here?
It's day five and they still haven't issued a security advisory for any of the five bugs reported, of which they've fixed four.
Who's putting the community at risk here?
February 10, 2026 at 10:26 AM
Cryspen merged my fixes yesterday via the CEO closing my fix PRs then copy-pasting my code and merging it under his own name.
It's day five and they still haven't issued a security advisory for any of the five bugs reported, of which they've fixed four.
Who's putting the community at risk here?
It's day five and they still haven't issued a security advisory for any of the five bugs reported, of which they've fixed four.
Who's putting the community at risk here?
Many technical discussions, won't be drama-only
February 9, 2026 at 9:31 PM
Many technical discussions, won't be drama-only
Very much looking forward to this talk. It's time to set the record straight. Will be announced soon.
February 9, 2026 at 9:16 PM
Very much looking forward to this talk. It's time to set the record straight. Will be announced soon.
Nice one! Noctua + 3D printed mounts?
February 9, 2026 at 8:45 PM
Nice one! Noctua + 3D printed mounts?
Cryspen finally pushed a fix for the critical nonce-reuse vulnerability.
On the left: my proposed fix, which was closed and rejected.
On the right: the fix Cryspen just pushed into a separate branch.
They rejected my PR, and then copied it letter by letter.
On the left: my proposed fix, which was closed and rejected.
On the right: the fix Cryspen just pushed into a separate branch.
They rejected my PR, and then copied it letter by letter.
February 9, 2026 at 10:50 AM
Cryspen finally pushed a fix for the critical nonce-reuse vulnerability.
On the left: my proposed fix, which was closed and rejected.
On the right: the fix Cryspen just pushed into a separate branch.
They rejected my PR, and then copied it letter by letter.
On the left: my proposed fix, which was closed and rejected.
On the right: the fix Cryspen just pushed into a separate branch.
They rejected my PR, and then copied it letter by letter.
It's simply unbelievable. Cryspen is sending me emails lecturing me on ethics, WHILE THEIR NONCE REUSE BUG REMAINS UNPATCHED FOR THE FOURTH DAY DESPITE MY GIVING THEM A FREE, TESTED FIX.
February 9, 2026 at 10:28 AM
It's simply unbelievable. Cryspen is sending me emails lecturing me on ethics, WHILE THEIR NONCE REUSE BUG REMAINS UNPATCHED FOR THE FOURTH DAY DESPITE MY GIVING THEM A FREE, TESTED FIX.
Today is day 4 of Cryspen leaving a critical nonce reuse vulnerability in a HPKE implementation used by both Signal and OpenMLS unpatched, despite there being a pull request with a tested fix: github.com/cryspen/hpke...
Nonce reuse vulnerability in hpke-rs by nadimkobeissi · Pull Request #118 · cryspen/hpke-rs
A critical nonce reuse vulnerability was discovered in the hpke-rs library that affects release builds only. The vulnerability allows an attacker to potentially recover plaintexts when a single HPK...
github.com
February 9, 2026 at 8:38 AM
Today is day 4 of Cryspen leaving a critical nonce reuse vulnerability in a HPKE implementation used by both Signal and OpenMLS unpatched, despite there being a pull request with a tested fix: github.com/cryspen/hpke...
I have no idea, I don’t even believe it happens for real. Ask @mdh2.bsky.social — I’ve never met a person who stopped listening to music
February 8, 2026 at 9:00 PM
I have no idea, I don’t even believe it happens for real. Ask @mdh2.bsky.social — I’ve never met a person who stopped listening to music
This happens to people?!
February 8, 2026 at 8:34 PM
This happens to people?!