[dns-operations] All Too Quiet?

[Florian Weimer]

> Ask them if they want proof, and ask them to sign a waiver making them
> responsible if you succeed in proving the vulnerability.

Uhm, I think you misunderstood.  It's about proving attacks, with real
monetary loss.  Of course, you can do that, too, but it's a bit more
difficult (and management won't sign it off, hopefully).

That's why I think vulnerability details don't matter much for risk
assessment.  You need to know a few basic things (which aren't provided
in standard advisories, unfortunately), but beyond that, it's all about
the attacks, not the vulnerability itself.  And most attacks never
happen.