Cooldown Support for Ruby Bundler

Aren't we back to the drawing board once everyone uses this?

> A version whose source does not expose created_at, such as older gem servers, historical entries from before the v2 cutover, or private registries still on the v1 format, is treated as outside the window and stays resolvable.

How is that not an easy exploit to circumvent the cooldown?