@loke @bagder As pentesters we regularly argued about whether a behavior can be considered a vulnerability or not. A resolution strategy that almost always worked is to ask ourselves what our recommended fix would be. Maybe including such a question in the report template could help prevent/resolve similar misunderstandings?