Comment 21 for bug 1316822

I think the counterargument is that you shouldn't be able to "reboot" an instance which is in a down state, and safety checks were added in Icehouse to prevent exactly that. The issue arises if you're running Havana or earlier and don't realize you shouldn't reboot a down instance, in which case it gets brought up with no filtering (because reboot assumes it was already running and doesn't reapply them). So essentially if you do something you're not supposed to do, you can leave instances vulnerable--this requires a mistake on the part of an inexperienced operator, or a fairly significant amount of social engineering on the part of an attacker to convince the operator to make such an error, and has since been hardened in subsequent Nova releases anyway.