Audience question about whether the speaker filed an issue with the Devise maintainers. Answer: he emailed about the pepper leak privately (not wanting to discuss it publicly first), got no reply after three months, and now feels justified talking about it publicly. Intends to contribute a fix eventually, but emphasizes that shipping API-breaking security changes in a library used by people who only bump packages is hard — OpenSSL still supports 25-year-old APIs for the same reason; a less painful migration path needs to be found.