@rfc6919 @projectgus If you don't have a real program of monitoring the changes to foundational open source projects, lying about it is quite dicey, for a number of reasons - possibly up to being securities fraud.
Heck, if you *have* a program but are lying about whether it can be credited with detecting it, that's sketch too.
Saying "one guy came across it by accident" doesn't really imply any business assurances, so it's a lot easier.
@lcamtuf @projectgus fair point. I guess I’m just thinking that if someone was making up a cover story for the disclosure, surely they could do better than the barely believable “I noticed and investigated a 0.4s slowdown in ssh auth”. I dunno, I don’t play 4D chess.