First off if you haven’t read the post about what ranks as a higher priority and how that converts to payment by Kymberlee on bugcrowd you should https://blog.bugcrowd.com/vulnerability-prioritization-at-bugcrowd/. I am making this post, because Twitter is limited in how much you can say, so @kymberlee suggested moving to the forum.
I noticed direct object reference(DOR) was put as priority 3. I understand that a lot of things that fall under DOR don’t always expose sensitive data, but the ones I go after do. I almost always get PII when I go after direct object reference, whether it be the entire database, a backup of the entire site with all the code the company tried to obscure along with PII, etc.
I’ll play devils advocate for a moment and use facebook public images as an example of an issue that was DOR and still is if you can guess or know the sequence of numbers used in the URL, but I see a public picture as p5. If you are able to DOR the private pictures, which I think you can then I see that as PII and p2 to p1. So, with all that said why is DOR p3?