I'm curious to see how people take on different vulnerability severity classes. When you are testing - are you specifically looking for Medium+, or is it strictly finding a bug and then seeing how far you can push it. I mostly ask because with a newer account, I am less confident in submitting genuine low severity reports due to the chance of it being marked informational. I have enough knowledge to know the difference, but I don't know the grey area for how specific triagers will mark it (whether it's programs or platforms) I typically frame it by attack surface and severity potential but I am wondering how others are approaching it. submitted by /u/watkisean [link] [comments]