Before anyone panics, if wallets strictly follow RFC 6979 (nonces are derived deterministically from the hashed message), their input-to-bytes conversion is not erroneous, and doesn't allow custom nonce injection, everything should be safe. https://github.com/advisories/GHSA-vjh7-7g9h-fjfh I'm all for experimenting with hedged signatures, just like Paul suggests. Thankfully, this time, the vulnerability isn't completely devastating, but who knows what might happen next time. Let's give hedged signatures a try and see how it goes. One thing I personally like a lot is that hedged signatures don't have a single point of failure (eg. the nonce k) but require someone to break randomness _and_ the generation process.