After several prods, it seems the security@ and hackathon participants can't be drawn out of their shells on to dev@. So I'll simply call for a majority vote on the following statement...
Resource abuse of an .htaccess config in the form of cpu/memory/bandwidth; [ ] Represents a security defect [ ] Is not a security defect This would obviously need to be clarified in the associated .htaccess documentation, be associated with an advisory and affect the conclusion of several recent defect reports, both embargoed and discussed plainly here on this list.
