Hey fellow hackers, I recently submitted a report that got triaged as a simple "Information Disclosure (Out of Scope)" and closed. I'd love to get your perspective on whether this classification is fair or if it's a bit of a lazy triage.. The Vulnerability Context: The application had a complete lack of client-side input validation on a specific parameter (PREFERENCES). By passing invalid data (using double brackets/JSON syntax), it broke the server's business workflow entirely. Because customErrors mode="Off" was left enabled in the .NET config, the server failed to handle the input and dumped full stack traces and internal framework method names.. My Argument: I reported this not just as an info disclosure, but as a structural flaw in the system's error-handling logic and input validation. The way the server handles (or fails to handle) input processing indicates a deeper business logic flaw that could lead to Mass Assignment or IDOR..…