An attacker bent on "consuming CPU/memory/network/disk resources" isn't going to care whether the (stolen) credit card they signed up with gets charged. A failure to be able to bill users for resources they consume, while possibly still a bug worth fixing, doesn't on its own constitute a security vulnerability.
An attacker bent on "consuming CPU/memory/ network/ disk resources" isn't going to care whether the (stolen) credit card they signed up with gets charged. A failure to be able to bill users for resources they consume, while possibly still a bug worth fixing, doesn't on its own constitute a security vulnerability.