Supplementing CVEs with !CVEs: conflicts of interest

From what I've seen, the boundaries of the threat model can be fuzzy. A while ago I was working with a chip in a very similar situation: there was a public disclosure of an easy-to-reproduce voltage glitching attack that could bypass an important security mechanism. The chip had never claimed security against glitching attacks and had been built with no defences against that, so it was behaving as intended. But at least one large customer wasn't happy about the situation, because it made their products vulnerable to any moderately-capable attacker, and I believe they made the chip vendor aware that if the vulnerability wasn't fixed they'd stop using that chip. (This wasn't about assigning blame, it was just about deciding a path forwards). And the vendor didn't have any similar chips with stronger security guarantees, so they'd lose the customer to another vendor.

Instead they spent about a year (and presumably a lot of money) producing a new revision of the silicon with mitigations against that specific attack. They were clear that this still wasn't general protection against glitching attacks, and they made no promises - it was just a best-effort attempt to lower the risk within the constraints of a chip that wasn't designed for that. Evidently they thought it was worth doing it to mollify the customers, and the customers had indicated this change would be enough, at least for a few years while the vendor developed their next-generation chips that were really designed for (and advertised) physical security.

The threat model is useful for communicating expectations between chip vendors and customers, but when a vulnerability is discovered it appears theoretical arguments about classification don't really matter - what ultimately matters is the financial pressure from customers to fix it.