Cryptographic Issues in Cloudflare's Circl FourQ Implementation (CVE-2025-8556)

(www.botanica.software)

159 points botanica_labs | 2 comments | 22 Oct 25 14:22 UTC | HN request time: 0.427s | source

Show context

Rygian ◴[22 Oct 25 15:35 UTC] No.45670722[source]▶

Here's an idea, from a parallel universe: Cloudflare should have been forced, by law, to engage a third party neutral auditor/pentester, and fix or mitigate each finding, before being authorised to expose the CIRCL lib in public.

After that, any CVE opened by a member of the public, and subsequently confirmed by a third party neutral auditor/pentester, would result in 1) fines to Cloudflare, 2) award to the CVE opener, and 3) give grounds to Cloudflare to sue their initial auditor.

But that's just a mental experiment.

replies(6): >>45670816 #>>45670838 #>>45671337 #>>45671605 #>>45672140 #>>45672495 #

semiquaver ◴[22 Oct 25 16:29 UTC] No.45671605[source]▶

>>45670722 #

Seems like you want open source software to die.

replies(1): >>45671723 #

1. Rygian ◴[22 Oct 25 16:40 UTC] No.45671723[source]▶

>>45671605 #

A more charitable interpretation could be "seems like you want large corporations, which have the financial means, to take security seriously and build a respectable process before publishing security solutions whatever the license".

replies(1): >>45674327 #

2. semiquaver ◴[22 Oct 25 19:56 UTC] No.45674327[source]▶

>>45671723 (TP) #

All software is a security solution in one way or another. If open sourcing something risked massive liability no one would do it.

↑