When a protocol vendor confirms that a critical vulnerability is intentional, the question shifts from "when does the vendor patch this?" to "where does mitigation live now?" The answer in this case is no longer in the protocol layer, no longer in the vendor SDK, but in the harnesses, sandboxes, and runtime guards that sit between the protocol and the host. That is the news this week. The pattern Vendor-confirmed by-design vulnerabilities are not new. They are a recurring class. The shape repeats: a vendor ships a primitive, the security community discloses a flaw, the vendor reviews, and instead of patching, declares the flaw intentional. The protocol becomes a constraint, not a contract. Mitigation moves downstream. When this happens, the question for enterprise security teams is no longer "what version do we update to?" The question is: which downstream layer enforces what the protocol does not?…