[btreecat]

> If there’s a way to undo huge amounts of redactions, that’d certainly be a net negative. Sort of like if encryption were suddenly broken, you wouldn’t publish a paper saying so.

I can't state emphatically enough how this is not the right mental playbook.

If you have found a vulnerability, it's likely someone else has too. By sitting on it, you only create more future victims.

Disclosure will lead to fixing this issue, mitigating it's precense, or switching tools/workflows, possibly a combination of. Sitting on it only ensures that folks who think they are protected, actually aren't.

[mlissner]

We’re familiar with vulnerability disclosure philosophies, but what if the problem can’t be fixed because there’s no forward secrecy for the hundreds of millions of documents that are already out there?

It’s tricky stuff and we have limited resources, unfortunately.

[btreecat]

>, but what if the problem can’t be fixed because there’s no forward secrecy for the hundreds of millions of documents that are already out there?

What if you are not the only folks who have found and exploited this vulnerability?

You can play the "what if" game to justify not doing the right thing all day long, when really it should be one "if" that guide you. What if someone else found this?

[opello]

So what is the state of the art in redaction? Re-publish the document with an insert that says [redaction] so that no (or maybe minimal) length side-channel exists? I imagine someone thinks about clever ideas and it would be fun to read about them and the trade-offs.