A vulnerability is a flaw in the implementation that allows an attacked to trigger some kind of unexpected result. The result in this case is defined in an RFC. It is 100% working as intended.

A protocol can also have a vulnerability (the term is not constrained to implementation flaws only)

So your contention is that the creators of HTTP/2 intended for all users of it to be DDoSed?

I mean yes, much as http1 allows for people to be ddosed.

What is the vulnerability anyway? I skimmed the linked article twice and could find no explanation of how it works, beyond "request, cancel, request, cancel" and that it's called Rapid Reset. Why is HTTP/2 in particular vulnerable? Are all protocols supporting streams vulnerable? How is it possible to vomit such a long article with so little information?

The article we're discussing has a link to this deeper description: https://blog.cloudflare.com/technical-breakdown-http2-rapid-...