[gcr]

MaraDNS is much less popular than dnsmasq though.

I have several libraries that I've written. Not one single serious security bug in them has been found since 1991. Granted, nobody uses my libraries...

Not to diminish your team's achievement! :D But it's important to contextualize claims like this with information about what your userbase looks like

[strenholme]

A lot of security and other audits have been performed against it though; MaraDNS, after all, is notable enough to have a Wikipedia page and hundreds of GitHUB stars.

For example, when the Ghost Domain Name DNS vulnerability was discussed, MaraDNS was audited and named (MaraDNS was immune to the security bug, for the record)

https://web.archive.org/web/20120304054959/https://www.isc.o...

[andrewjf]

I don't think that's relevant. You can still find security issues in software nobody uses.

The question is a matter of impact because of how used the software is.

[VorpalWay]

Way fewer people are going to look at obscure things, so a lower percentage of issues will likely have been found. There is less fame and fotune in spending security research time on obscure software. Most small libraries won't be covered by any bug bounty programs either for example.

[andrewjf]

You don't need other people anymore to find security issues, you can do it yourself with AI.

[rhdnfjtkfmf]

Even accepting the premise, is it not immediately obvious to you that folks will be spending more money and effort aiming AI at higher-impact targets? This isn’t all-or-nothing.