It would be nice if these reports also listed implementations they analyzed carefully and concluded were not likely vulnerable.<p>In this case, they do show openssl-- but it's burred under a generic titled click through. I would guess they also found other apparently secure implementations, but none are listed.<p>Providing this information would have several benefits:<p>(1) People could look and the correct implementations and learn what choices they made which helped them avoid the issue.<p>(2) The incentive for making secure implementations would be increased.<p>(3) Effort could be conserved in identifying already correct implementations. In particular, correct implementations get asked over and over again if they're vulnerable ... and it can be a bit exposed-feeling to give an emphatic 'no' without the benefit of the assistance of the researchers and their test setup.<p>Also, if an error was made in identifying a correct implementation, then someone writing another paper refuting the that sub-result would likely have an easier time getting published than someone who just did the same attack against more implementations-- increasing the incentive to continue this line of research.<p>Anyone know why they bother listing github "stars" on the vulnerable software list?