An IEEE statement on the UMN paper

The IEEE, whose Symposium on Security and Privacy conference had acceptedthe "hypocrite commits" paper for publication, has posteda statement [PDF] on the episode.

The paper was reviewed byfour reviewers in the Fall S&P 2021 review cycle and received a verypositive overall rating (2 Accept and 2 Weak Accept scores, putting it inthe top 5% of submitted papers). The reviewers noted that the fact that amalicious actor can attempt to intentionally add a vulnerability to an opensource project is not new, but also acknowledged that the authors provideseveral new insights by describing why this might be easier than expected,and why it might be difficult for maintainers to detect the problem. One ofthe PC members briefly mentioned a possible ethical concern in theirreview, but that comment was not significantly discussed any further at thetime; we acknowledge that we missed it.

The statement concludes with some actions to be taken by IEEE to ensurethat ethically questionable papers are not accepted again.