On 4/12/26 19:28, Alexander Patrakov wrote:
Hello Alan,
How am I, as a user, supposed to authenticate these PDFs as materials
really produced by the parties Hex claims they are from? The PDFs are
offered for download from the audited-party domain, not from the auditors'
domains, and do not contain any digital signatures.
That'd be a question to ask the Hex people, not the unrelated person who
saw the reports online and brought them to this mailing list, but for at
least Paraxial, I can point out that I first learned about this audit
from their blog post at https://paraxial.io/blog/hex-pentest which I saw
shared in the OpenSSF slack forums.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
