I am under the impression that Heimdal's process for reporting sensitive bugs is broken. I am referring to the following sentence on https://www.h5l.org/ :
"Security sensitive bug reports should be sent to heimdal-b...@h5l.org using this PGP key (key id 3B81827E)." Not only do I get the impression that bug reports sent in this manner are not being acted on (it could be just a lack of feedback but that's also a problem), but all subkeys of that PGP key have expired: the ones in the file on the web site ten years ago, the newer ones available through the PGP keyservers more recently. The web site *is* being updated with release information so I don't understand why it is not also being updated with contact information.
signature.asc
Description: PGP signature