I am consistently disappointed by the vulnerability communications from major zkVMs.

One buried a critical vulnerability by refusing to share on socials, instead quietly dropped it on their blog until pressured to post on socials.

Another one posted the critical vulnerability on socials, but in highly technical terms with zero description of user-facing impact. (i.e. That it seems to break the majority of proofs.)

These are two of the most respected zkVMs. We use them in our stack. But they are not communicating openly and clearly about critical bugs that break their proof systems.

As a team using zkVMs for critical functions for our upcoming mainnet, it hurts our trust in these systems and damages zkVM adoption as a whole.

With @eth_proofs coordinating initiatives across the two dozen zkVMs in development, I hope that we can get to better standards soon.