Red Hat's @kurtseifried thinks that 200 hours of brute force is a defense failure. smells like sour grapes for having ignored the problem.
2
4
it's in the advisory: "it has a good chance of gaining eip control after 2^17 * 5.5 seconds = 200 hours"

Jun 19, 2017 · 3:45 PM UTC

1
you gave it a CVE, not Qualys. since you failed to discuss it with us, now's the time (to rescind it).