[dns-operations] All Too Quiet?

Florian Weimer fw at deneb.enyo.de
Mon Jul 28 20:31:46 UTC 2008

> Ask them if they want proof, and ask them to sign a waiver making them
> responsible if you succeed in proving the vulnerability.

Uhm, I think you misunderstood.  It's about proving attacks, with real
monetary loss.  Of course, you can do that, too, but it's a bit more
difficult (and management won't sign it off, hopefully).

That's why I think vulnerability details don't matter much for risk
assessment.  You need to know a few basic things (which aren't provided
in standard advisories, unfortunately), but beyond that, it's all about
the attacks, not the vulnerability itself.  And most attacks never

More information about the dns-operations mailing list