A bug bounty researcher shares a story of finding an exposed GraphiQL IDE and enabled introspection on a production system, initially scoring it CVSS 9.1. The triage team rejected it as 'Informative' because the visible mutations were protected server-side — anonymous users couldn't actually execute them. Key lessons: schema visibility doesn't equal exploitability, CVSS scores should reflect demonstrated impact not theoretical access, and misconfigurations without confirmed CIA impact rarely qualify for bounties. The researcher received a 50 CHF courtesy bonus, acknowledging the real (but non-exploitable) misconfigurations of public GraphiQL and enabled introspection in production.
Sort: