Isn't that a potential information leak, though? A potential black-hat attacker could sit around and brainstorm a big list of potential vulnerabilities without going through to figure out if they exist and are exploitable. Then they can start submitting them, and if they get closed as duplicate, they can quickly dive into that one, figure out how to exploit it, and make use of it for nefarious purposes.
>A potential black-hat attacker could sit around and brainstorm a big list of potential vulnerabilities without going through to figure out if they exist and are exploitable. Then they can start submitting them, and if they get closed as duplicate, they can quickly dive into that one, figure out how to exploit it, and make use of it for nefarious purposes.
So long as there is a big of lag before confirmation (which, in practice, there already is), the vendor would know about the issue at least several days in advance of the black-hat even getting a hint and could hopefully patch it in that time.
For especially big holes, just take a bit longer than usual to get back to people until it's fixed.
No it's exactly the sort of thought process people have.
Another scenario is someone does what you suggest after finding a real vulnerability, to waste the teams time while they exploit the real vulnerability.
Maybe that's a little farfetched, though.