Wow, I believe this is the first-ever "security guarantee" payout by DJB? Not bad!, not bad at all!, considering how popular both qmail and djbdns are.
I think so, unless you count the prize for "most interesting cryptanalysis of Salsa20" as a security guarantee. Also, someone discovered a bug in qmail a while back, but DJB disputed that it was security-related and didn't pay. Having seen the details, I'm inclined to side with DJB.
There was a (contested) claim against qmail, where Georgi Guninski found an LP64 integer overflow that would only have been exploitable if you explicitly configured your system to allow qmail to consume huge amounts of memory. The code was imperfect, but the deployed software was safe. So far as I know, DJB didn't pay this out. I'm ambivalent about it.
> would only have been exploitable if you explicitly configured your system to allow qmail to consume huge amounts of memory.
Are you sure it's explicit (ie: changing some qmail configuration file) rather than just depending on how the system-wide rlimits are set up?
Guninski claimed that following the exact instructions in the INSTALL file results in a vulnerable configuration (assuming the exploitable hardware configuration)
