| I have far more evidence of a very good security record with MaraDNS than “No bugs in 3 years in this software with a much smaller audience and also look AI audits!” • The software has been around for 25 years • The software is popular enough to have been subjected to dozens of security code audits, including two audits in the post-AI era • In those 25 years, only two remote “packet of death” bugs have been found • Also, in those same 25 years, only one single bug report of remotely exploitable memory leaks has been found This isn’t something which, as implied here, has a lot of security bugs only because no one has used or audited the software. This is a long term, mature code base which has only had a few serious security bugs in that timeframe. Here is my evidence: https://samboy.github.io/MaraDNS/webpage/security.html If this evidence isn’t “convincing” to you, I don’t know what evidence would be “convincing”. |
To illustrate the issue with an extreme example, consider that a disused repository on github full of security holes is highly unlikely to have any CVEs regardless of age. The software has to present a worthwhile target (ie have a substantial long term userbase) before anyone will bother to look for exploits. (I guess that might change in the near future thanks to AI but I don't think we're there just yet.)