| ▲ | jpollock 8 hours ago | ||||||||||||||||
The severity of the DoS depends on the system being attacked, and how it is configured to behave on failure. If the system is configured to "fail open", and it's something validating access (say anti-fraud), then the DoS becomes a fraud hole and profitable to exploit. Once discovered, this runs away _really_ quickly. Treating DoS as affecting availability converts the issue into a "do I want to spend $X from a shakedown, or $Y to avoid being shaken down in the first place?" Then, "what happens when people find out I pay out on shakedowns?" | |||||||||||||||||
| ▲ | staticassertion 8 hours ago | parent | next [-] | ||||||||||||||||
If the system "fails open" then it's not a DoS, it's a privilege escalation. What you're describing here is just a matter of threat modeling, which is up to you to perform and not a matter for CVEs. CVEs are local properties, and DoS does not deserve to be a local property that we issue CVEs for. | |||||||||||||||||
| |||||||||||||||||
| ▲ | michaelt 8 hours ago | parent | prev | next [-] | ||||||||||||||||
> If the system is configured to "fail open", and it's something validating access (say anti-fraud), The problem here isn't the DoS, it's the fail open design. | |||||||||||||||||
| |||||||||||||||||
| ▲ | vasco an hour ago | parent | prev [-] | ||||||||||||||||
> Treating DoS as affecting availability converts the issue into a "do I want to spend $X from a shakedown, or $Y to avoid being shaken down in the first place?" > Then, "what happens when people find out I pay out on shakedowns?" What do you mean? You pay to someone else than who did the DoS. You pay your way out of a DoS by throwing more resources at the problem, both in raw capacity and in network blocking capabilities. So how is that incentivising the attacker? Or did you mean some literal blackmailing?? | |||||||||||||||||