Banked from the Vercel/Next.js CVE-2025-29927 incomplete-fix sibling hunt = WALK at the disclosure/saturation gate (no self-host spent).
A "young / less-saturated PROGRAM" (e.g. the Vercel OSS HackerOne program is relatively new + pays) is NOT the same as a "young / less-picked SECURITY SURFACE." Next.js middleware is the MOST-researched framework-security surface of 2025-2026. The patch-diff incomplete-fix vein needs a target whose vuln CLASS is NOT already being swept by a horde of researchers + the vendor. Before picking a patch-diff target, disclosure-gate the CLASS (count recent CVEs in that class + whether the vendor just did a multi-CVE sweep): a recent N-CVE security release covering the exact class = SATURATED -> WALK-before-drill, same as the GGUF-SSTI and RAGFlow saturation kills.
GOOD patch-diff target: ONE recent authz/access CVE, the vendor point-fixed it (didn't sweep the class), the surface is broad + not horde-researched (e.g. a mid-tier app, a less-famous framework). BAD: a famous framework's headline CVE class that triggered an industry-wide research pile-on + a vendor multi-CVE sweep (Next.js middleware, Log4Shell-class, etc.) -> the siblings are gone. Mattermost was BAD for a different reason (vendor sweeps the authz class per-fix); Next.js is BAD because the RESEARCHER HORDE + vendor already swept it. Related: [[2026-06-21-cycle271-gguf-chattemplate-ssti-saturated]], [[2026-06-21-mattermost-authz-membership-selfcheck-comprehensive]], [[2026-06-21-HARDRULE-cash-gate-current-tier-not-historical]].