Yes/No. The issue is more about categorizing between low, medium, high and critical security issues, because this impact the bounties values.
So, we have to define some guidelines on which is high or medium, because this is the most difficult part to differentiate. OOB reads gets medium, while OOB write gets high. Buffer overflows get high, while Null-deref gets medium.
If you try hard enough, those are probably exploitable, but maybe, we're not sure. While the OOB writes are exploitable, so this is more important, so it gets high.
Of course, it is important to fix everything, but we need to be fair, notably when it is not our money.
> Is this really valid?
Yes/No. The issue is more about categorizing between low, medium, high and critical security issues, because this impact the bounties values.
So, we have to define some guidelines on which is high or medium, because this is the most difficult part to differentiate. OOB reads gets medium, while OOB write gets high. Buffer overflows get high, while Null-deref gets medium.
If you try hard enough, those are probably exploitable, but maybe, we're not sure. While the OOB writes are exploitable, so this is more important, so it gets high.
Of course, it is important to fix everything, but we need to be fair, notably when it is not our money.