I reported such a bug to some software my company uses (Tempo). Vendor proceeds to call it a feature request because the software successfully fails to show public information (visible in the UI, but HTTP 403 in the API unless you're an admin).
Instead of changing one word in the code that defines the access level required for this GET call, it gets triaged as not being a bug, put on a backlog, and we never heard from it again obviously
Instead of changing one word in the code that defines the access level required for this GET call, it gets triaged as not being a bug, put on a backlog, and we never heard from it again obviously
We pay for this shit