communication

Well, I was writing another response, but it vanished in a misclick. I'll say that at least for me, I'd heard of all those fancier modern alternatives and never had any reason to use them instead of good old battle tested GPG. I didn't expect GPG to be this complex internally, for what little use I make of it. I will be marginally safer, and I'll thank both the maintainers and the researchers.

I'm particularly impressed by the age maintainer, who responded by delivering an award in person to the researchers. My eyes can't help but see a contrast in the responses.

Disclosure timelines eventually end in publication of unpatched bugs. Vulnerability research can be inconvenient for compliance. I think that Compliance and security are just two very different axes, aren't they?