Still waiting for a real use of this vulnerability beyond a PoC that merely shows that it's possible. Show me some software that active does this with spectre v1 or mds and I'll believe you. The reality is that there is no coordinated way to get what you want, it merely exposes what's in the buffers (for mds). Hell, even with intimate knowledge, the buffer data is likely useless you can determine what the program counter was at the time, but you don't have access to that register or the stack. So unless you know the state of the application and the code being run for it, you're likely not going to be able to make any use of mds. Spectre v1 has the same problem except that the rate that data is leaked is so slow, the data you're looking for can't possibly change memory locations or be changing in any way for it to be exploitable.
So once again, I challenge you to write an application that actually takes advantage of these vulnerabilities beyond a PoC. I bet you can't.