re: #9 Charles Johnson

The code that caused this is embarrassingly simple, and it’s kind of surprising nobody found it in two years. It’s a simple bounds checking error — a two-byte integer value that isn’t checked to make sure it really is a two-byte integer. But it’s a big open source project.

And that’s just it. On a project of the scale of OpenSSL, there may be bugs that are undiscovered even after it gets completely replaced by another library. Even with thorough code review, all it takes is for a reviewer’s eyes to glaze over at the wrong moment to allow a simple one-line bug to slip in.