EPSS
Percentile
37.4%
github.com/endophage/gotuf and github.com/theupdateframework/notary do not check if the signature algorithm matches the key. Using this, attackers could forge a signature using a lesser cryptographically sound algorithm to recover private keys.
github.com/theupdateframework/notary/blob/master/docs/resources/ncc_docker_notary_audit_2015_07_31.pdf