Vulnerability Disclosure Queue Overload

This applies The Natural Framework and The Parts Bin to vulnerability disclosure.

A vulnerability report creates verification work.

The recipient may need to identify the affected component, reconstruct the environment, run the reproducer, distinguish a bug from a security boundary violation, estimate impact, coordinate a fix, and decide what can be disclosed. Producing the report can be much cheaper than verifying it.

That asymmetry is not new. Generative models increase it. A model can produce a report that is specific, internally consistent, version-aware, and responsive to follow-up even when the vulnerability is not real. Polished prose is not evidence, but it can cause a report to pass initial screening and reach a specialist.

This creates a possible denial-of-service mechanism against human verification capacity.

The problem

A disclosure channel is an externally writable work queue. Its scarce resource is not inbox space but expert verification.

Report count is an incomplete load measure. Exact duplicates may be cheap, while one alleged race in a hardware-dependent subsystem may require a scarce specialist.

For report (i), let (p_i) be the probability that it requires investigation and (c_i) the expected expert time needed to reach a useful conclusion. Offered load is

[ L = \sum_i p_i c_i ]

and utilization is

[ \rho = \frac{L}{C} ]

where (C) is available verification capacity in the relevant interval. The relevant capacity is often not the intake team’s total headcount. It is the bottleneck specialist shared across maintainers, vendors, distributions, CNAs, and CERTs.

Below (\rho=1), ordinary review can keep up. Above it, backlog age increases. The system must allocate limited verification capacity.

High report volume is not required. A small number of reports can create overload if each is cheap to generate, expensive to falsify, and plausible enough to require investigation. More capable report generators can increase verification work per submission.

Persistent overload can also change disclosure policy. A project may tighten intake, give less attention to unknown reporters, or move coordination into private reputation networks. These changes may reduce access for legitimate reporters after the backlog clears.

“Security siege” is one possible description: the objective is to consume defensive capacity until access to the disclosure process is restricted.

The risk is likely to increase over time. Disclosure channels need to accept reports from unknown parties, and novel claims cannot be rejected by pattern matching alone. At the same time, the cost of generating coherent technical claims is falling as models improve at code analysis, tool use, and follow-up interaction. Triage responses can reveal acceptance criteria, while ordinary bounty incentives and automated scanning can produce similar load without malicious intent. Operational overload can therefore provide information useful to a later deliberate attempt.

This does not make a deliberate attack certain. It does make continued attacker disinterest an unsuitable control. An open channel through which untrusted input allocates scarce expert work should be treated as an attack surface.

The individual parts of this problem have prior work, although I have not found a disclosure-specific overload protocol that combines them.

The contribution here is narrower than a new triage algorithm. It is the combination of disclosure-specific work amplification, overload activation and recovery, private conditional verification outcomes, dependency-aware cache invalidation, and protected review capacity for unknown reporters.

The strategy

Treat vulnerability disclosure as a congestion-controlled information pipe.

The pipe should make repeated and weakly evidenced claims cheap to process while preserving a route for surprising genuine findings. It has five forward operations and one learning operation:

[ \text{Perceive} \rightarrow \text{Cache} \rightarrow \text{Filter} \rightarrow \text{Attend} \rightarrow \text{Transmit} ]

[ \text{Consolidate}: \text{outcomes} \rightarrow \text{policy}’ ]

Calling the whole mechanism a filter hides the important distinctions. The Parts Bin gives each operation a separate contract:

Guarantees

The implementation can adapt to the host system, but it should preserve these properties:

The success criterion is not a clean inbox. It is continued progress on genuine high-impact reports under saturation.

When to use it

Use congestion control when expected verification work persistently approaches or exceeds the capacity of the relevant specialists. Signals include:

The instrumentation should run during normal operation so baselines, service times, cache quality, and reporter histories exist before an incident. Consequential load shedding should activate progressively:

The playbook should be exercised in a closed replay before it is needed. Include polished false reports, badly written genuine reports, duplicates, specialist bottlenecks, and a real critical finding hidden inside the surge. Do not test the idea by sending synthetic reports into a live project; that performs the harm the exercise is supposed to prevent.

When not to use it

Reference implementation: algorithms and contracts

The implementation is a composition of known operations, not one triage model. The following table is a parts list rather than a required stack. An implementation can use mechanisms already present in the host system when they satisfy the same contracts.

StageAlgorithmContract
PerceiveSchema-constrained LLM extractionRaw report → typed claims with source spans; no claim gains evidentiary status
PerceiveContent-addressed artifact hashingArtifact → stable identifier; byte-identical inputs share a key
CacheHash indexStable key → exact prior record in amortized (O(1))
CacheDependency graph with reverse indexChanged assumption → every assertion that depended on it
CacheHNSW or another ANN indexClaim → bounded candidate set of similar claims; false matches may cost work but cannot reject
FilterExact predicate gatesIndexed reports → strictly smaller in-scope, structurally complete subset
FilterHierarchical verificationCheap checks precede expensive checks; each failure returns a specific missing condition
AttendPareto frontierReports → undominated set without inventing a total order
AttendConstrained diverse top-k / Sieve-StreamingSelected stream + capacity policy → bounded slate spanning protected lanes
AttendAging heap within each laneWaiting reports → deadline order; no eligible report starves indefinitely
ConsolidateDecayed beta-binomial reliability estimateReporter × subsystem outcomes → calibrated distribution, not a truth score
ConsolidateRandom audit with logged selection probabilityDeferred population → unbiased evidence about policy errors
ConsolidateChange-point detectionWorkload and outcome stream → drift alert when the old policy no longer fits
TransmitAppend-only WAL/event sourcingDecision event → lossless, ordered, auditable history
TransmitMerkle root or hash chainEvent history → tamper-evident assertion set for trusted exchange

The primary data object is a typed claim graph:

claim
├── product and component
├── versions and commits
├── required configuration
├── attacker capability
├── action sequence
├── expected observation
├── claimed boundary crossed
├── claimed consequence
└── evidence artifacts

The LLM is useful as a parser because fluent paraphrases then collapse to comparable structures. Report text remains untrusted data. The model emits a constrained object with spans back to the source; files, commits, logs, containers, and reproducers receive exact hashes.

One reference design gives the private evidence cache an exact primary key:

[ K=(\text{product},\text{commit},\text{configuration}, \text{preconditions},\text{boundary},\text{reproducer hash}) ]

The cache should preserve the distinction among verification outcomes:

OutcomeMeaningScheduling effect
InvalidEvidence contradicts the claimMay support a conditional negative assertion
Not reproducedThe specified observation was not obtainedReuse the attempted environment and tests; do not treat as contradiction
Insufficient evidenceRequired conditions or artifacts are missingWait for specific additional evidence
Out of scopeThe recipient is not responsibleRoute or decline without judging validity
DuplicateThe claim is already representedMerge with the existing investigation
UnresolvedInvestigation did not reach a conclusionRetain for aging, escalation, or later review

All six outcomes are useful cache records. Only Invalid directly supports a negative assertion, and that assertion remains scoped to the conditions under which the contradiction was observed.

An embedding index retrieves possible analogues. A structural matcher and the stored evidence determine whether the hit is strong, partial, or a miss. A Bloom filter is safe only as a front door to the exact store: a positive means “look this up,” never “discard it.”

Filtering then purchases certainty in increasing-cost layers:

schema complete
→ artifacts retrievable
→ environment constructible
→ behavior reproducible
→ boundary violation observable
→ consequence credible

Failure usually moves a report into a waiting state with a precise request for distinguishing evidence. “Not reproduced” does not silently become “false.”

Reports that survive are not collapsed into one score. Impact, evidence, reporter history, age, verification cost, and specialist scarcity are not naturally commensurate. Establish pairwise better/worse relations only where one report clearly dominates another, preserve the rest as a partial order, and choose the next bounded slate under explicit constraints:

A heap remains useful for deadlines inside a lane. It should not define the global truth hierarchy.

Reporter history can be represented as a decayed, subsystem-specific distribution. A beta-binomial posterior is one candidate for confirmed versus unsupported reports, provided unresolved reports are not counted as failures. Routing can use a conservative confidence bound. It should not use the posterior mean as a validity verdict.

Validation state and publication state remain independent:

unreviewed → investigating → validated | invalidated | unresolved

private → coordinated → scheduled → published

Store every transition in an append-only log. Materialized views answer the current status; the log answers what evidence existed under which conditions when the decision was made.

Cache busting

A negative assertion should name all the conditions that justified it:

assertion
├── tested commits
├── configuration fingerprint
├── compiler and dependencies
├── hardware or topology
├── boundary definition
├── reproduction evidence
└── confidence and expiry

When one changes, the reverse dependency graph finds affected assertions. Justification-based truth maintenance then supports three operations:

The bust event propagates independently of a public notice. It invalidates the private assertion, requeues affected claims, and informs authorized consumers. Frequently matched negative entries need scheduled revalidation because an incorrect entry can affect many later reports.

Evaluation criterion

The system determines which reports wait for review. Its effects are therefore organizational as well as technical.

If trust becomes an admission requirement, established identities receive most capacity. If similarity is treated as validity, an incorrect cache entry can suppress later reports. If overload controls become permanent, unknown researchers may stop using the channel.

The primary evaluation criterion is whether genuine high-impact reports, including reports from unknown people, retain a path to expert attention during overload. Throughput and inbox size are secondary measures.