> It will naturally die down as the legitimate ones are fixed.
Seems like we're already in the middle of this phase, but rather than dying down, the 'reports' have just gotten more noisy and obtuse, making it more difficult to establish the actual degree of threat / attack vector.
And if you are a state agency who'd like to keep the undisclosed zero-days you rely on secret, spamming maintainers with reports makes sense.
As a bonus if you find any actual zero-days in your mass-generated ones you don't report it and get a new one to play with.
I mean. Makes sense until adversary states start walking through the same doors you’re using. At which point you might regret that maintainers are too flooded to deal with it.
Assuming, of course, said state agency is operating under sufficiently strategic governance and management…