A lot of security and other audits have been performed against it though; MaraDNS, after all, is notable enough to have a Wikipedia page and hundreds of GitHUB stars.
replyFor example, when the Ghost Domain Name DNS vulnerability was discussed, MaraDNS was audited and named (MaraDNS was immune to the security bug, for the record)
https://web.archive.org/web/20120304054959/https://www.isc.o...
I don't think that's relevant. You can still find security issues in software nobody uses.
replyThe question is a matter of impact because of how used the software is.
Way fewer people are going to look at obscure things, so a lower percentage of issues will likely have been found. There is less fame and fotune in spending security research time on obscure software. Most small libraries won't be covered by any bug bounty programs either for example.
replyYou don't need other people anymore to find security issues, you can do it yourself with AI.
replyEven accepting the premise, is it not immediately obvious to you that folks will be spending more money and effort aiming AI at higher-impact targets? This isn’t all-or-nothing.
reply