To be honest it's actually pretty easy. For one thing in the Open Source world I just ask them for an example of the vulnerable code/code fix, or for how exploitation occurs (e.g. with XSS it's usually trivial to demo), if they can't provide either then chances are they don't really understand the vulnerable enough to be asking for an identifier.
For the closed source world it's obviously a bit tougher, which is why DWF number assignments are farmed out as much as possible to vendors, who can and do verify the issues (an then need an identifier for them).
So if someone attempts to flood the DWF with stuff, Open Source stuff would be trivial to weed out, and for closed source we'd simply base it on various things like "is this person well known/have a good track record?" and "can we easily verify this" and so on.
Biting the hand that feeds IT
