The hilarious thing is that that excuse is essentially just security through obscurity. Which is especially rich coming from the company whose vulnerability research team famously set a hard disclosure deadline that was shorter than many others at the time.
The engineering reality is that, much of the time, information asymmetry is a big help when you’re an anti-abuse engineer trying to build systems that distinguish good traffic from bad. It’s not an “undisclosed vulnerability” to build a very effective heuristic that wouldn’t be effective if it were public knowledge.
you would be shocked at how effective simple things like this are at stopping 90%+ of the bad actors, leaving significantly less manual work to identify the remaining 10%
