Nick: From a project standpoint, we can't prevent anyone from assigning a CVE to any particular bug, but take no position on whether someone should. All we ask is that you let us know (by updating this bug report) what CVE number gets assigned so that if we or someone else later decide it needs a CVE we don't end up with duplicate assignments. The main question to the project is whether this warrants a broadly circulated advisory. Resource consumption bugs only reachable by authenticated users tend to straddle the line on practical exploit vs security hardening opportunity.
If there are other known ways for authenticated users to create resources which can fill up databases as quickly (regardless of whether they would "get billed" for them: someone who is malicious enough to do this likely has no intent of paying a bill anyway), then publishing an advisory would send a misleading signal that we don't expect authenticated users to be able to consume resources. The speed at which they can fill a reasonable sized database in a production deployment and whether or not this activity is likely to be detected by typically employed API rate limiters or resource monitoring systems also informs the decision on whether this rises to the level of a security advisory.
Neutron maintainers: What's your take on these factors?
Nick: From a project standpoint, we can't prevent anyone from assigning a CVE to any particular bug, but take no position on whether someone should. All we ask is that you let us know (by updating this bug report) what CVE number gets assigned so that if we or someone else later decide it needs a CVE we don't end up with duplicate assignments. The main question to the project is whether this warrants a broadly circulated advisory. Resource consumption bugs only reachable by authenticated users tend to straddle the line on practical exploit vs security hardening opportunity.
If there are other known ways for authenticated users to create resources which can fill up databases as quickly (regardless of whether they would "get billed" for them: someone who is malicious enough to do this likely has no intent of paying a bill anyway), then publishing an advisory would send a misleading signal that we don't expect authenticated users to be able to consume resources. The speed at which they can fill a reasonable sized database in a production deployment and whether or not this activity is likely to be detected by typically employed API rate limiters or resource monitoring systems also informs the decision on whether this rises to the level of a security advisory.
Neutron maintainers: What's your take on these factors?