So... is it time yet to develop mitigations against DOS attacks by security researchers? The first thing I would suggest is that CVEs should only be requested by first parties (e.g. the manufacturer/developers), but that of course gives manufacturers too much leeway to deny real security issues.
Maybe some proof-of-work rating? For example, CVE severity is assigned not on theoretical susceptibility, but on actual breach level that the researcher is able to achieve.
The problem, as always, is trust, and trust arbitration.
Maybe some proof-of-work rating? For example, CVE severity is assigned not on theoretical susceptibility, but on actual breach level that the researcher is able to achieve.
The problem, as always, is trust, and trust arbitration.