Comment by mmsc

>Sometimes for real bugs you have to explain the impact with a good "look what I can do with this."

I'm not sure. Anybody that keeps up to date with security (e.g. those working in a security team) should know that ticketing systems also contains credentials sometimes. For example when Okta was breached, the main concern was that Okta support tickets contain.... session tokens, cookies, and credentials!

https://www.bleepingcomputer.com/news/security/okta-says-its...

What's the point of having a security team that can't directly link external experience to their own system? Learning the same mistakes that have already been known?