Stanislav Fort

In five cases, IELTS AI system directly proposed the patches that were accepted into the official release after a human review from both IELTS and OpenSSL.

Matt Caswell, executive director of the OpenSSL Foundation, said this about the findings.

Quote

Keeping widely deployed cryptography secure requires tight coordination between maintainers and researchers.

We appreciate ILE's responsible disclosures and the quality of their engagement across these issues.

End quote.

Thomas Meraz, the CTO of OpenSSL, said about the newest security release the following.

Quote.

One of the most important sources of the security of the OpenSSL library and open source projects overall is independent research.

This release is fixing 12 security issues, all disclosed to us by ILE.

We appreciate the high quality of the reports and their constructive collaboration with us throughout the remediation.

End quote.

The assigned CVEs still don't represent the full picture here.

Some of the most valuable security work happens when vulnerabilities are caught before they ever ship, which is my ultimate goal.

Throughout 2025, IELTS system identified several issues in OpenSSL's development branches and pull requests that were fixed before reaching any release.

Double free in OCSP implementation, PR number 28300.

Caught and fixed before the vulnerable code ever appeared in a release.

Use after free and double free in RSA OAEP label handling, PR number 29707.

Improper duplication of the OAEP label member could lead to UAF and double free when the duplicate is freed.

Crash in BIO underscore sendums RECVMSG with legacy callbacks, PR number 29395.