Thunderbird recently issued two CVEs related to unencrypted secret key material. In CVE-2021-29956, TB forgot to encrypt the secret key material for newly imported keys. In CVE-2021-29950, which introduced the previous CVE, they forgot to reprotect secret key material in memory. In this blog post, I discuss what we can learn. https://sequoia-pgp.org/blog/2021/05/22/202105-a-look-at-two-recent-cves-in-thunderbirds-openpgp-support/