Comment 1 for bug 1251518

Hmmm. Agree on the usefulness of such a setting, but should it be considered a vulnerability ? I wonder if that would not fall under the "normal usage" for a public service: people using your service will grow the database behind it, so you have to have mitigation in place to prevent normal usage from triggering DoS.

The question is... where is the line ? When should normal usage be considered a DoS vector ? When it's easy to do ? When it's anonymous to do ? When it's free to do ? When you can leverage quadratic blowup ? So far we considered the combination of the last two (free + blowup) to constitute a vulnerability. Not so sure about other combinations (here we have easy + free IIUC).