TL;DR: ReDoS “vulnerabilities” are, overwhelmingly, indistinguishable from malicious noise:
1. They exist primarily because of misaligned incentives in the security reporting and vulnerability reporting ecosystems (and industries);
2. The risk they pose is extremely context sensitive and does not align with their ridiculous “severity” scores;
3. They produce security fatigue in the very engineers they’re meant to help, and effectively represent their own denial of service against timely resolution of actual vulnerabilities.
I agree with this.
While it would be nice to switch everything to non-backtracking regular expressions, most cases of ReDOS don’t cause major security issues.
This is also a problem with the industry in general, as various vulnerability scanners are full of useless noise.