bwanshoom wrote:
I based my response on the list of vulnerabilties from openssl listed here. It appears there were at least 9 security vulnerabilities resolved in the past 2 years not including Heartbleed. While what you say is true for most software, openssl is pretty much all security or security-related.
Since we are looking at the same list it is easy to see where we disagree. I see a difference between "security" and "vulnerability", you lump them together. Being exposed to a DoS or a crash is a vulnerability, peeking into 64K of memory is a security hole. Much of the software "you don't see" is never exposed to situations where it would be vulnerable to a DoS or client/server crash so there is no concern for preventing it. If it was the fixes would be implemented.
Dave
