Bug Hunting Penetration RGB Hat are red, gray, and black hat
Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work but allow nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:
signing up arbitrary users for access to an “early access feature” without their consent creating an issue comment that bypasses our image proxying filter by providing a malformed URL triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information triggering application exceptions that could affect many users injecting JavaScript event handlers into links, etc., that are mitigated by CSP on GitHub.com disclosing the existence of private packages on npm that should be inaccessible, e.g., through error messages (but not through timing attacks, which are ineligible) novel supply chain vulnerabilities that affect a GitHub product but are not solely limited to that product credentials such as those from the .npmrc file or from GitHub Enterprise Server being leaked in logs
