"@Kym_Possible why is direct object reference p3? Ive downloaded site backups exposing pii that way. Not a bugcrowd bounty."
The truth is that no priority model is perfect. Heartbleed was a CVSS 5.0 but definitely had critical impact, if that had been treated like a moderate class vulnerability it still wouldn't be patched (well okay so we know not everyone has patched it everywhere still, but we're getting there). So Bugcrowd's priority model - like most every other priority model - is simply a starting point for assessment that inevitably has edge cases. Fundamentally the answer to the question is found in another question: regardless of the vulnerability type, what is the impact of the vulnerability? (I like the STRIDE model for categorizing impact, your mileage may vary). Is it remotely exploitable? Is user interaction required? What is the value of the asset being compromised?
If you've found an IDOR vulnerability that discloses directory structure, that's going to be a P3. But if you're disclosing user names, that's probably a P2, and if the information disclosure includes usernames and passwords, P1. When you report that direct object reference, be clear about the impact. This can be done in as few as two sentences at the start of your vulnerability report that make the impact incredibly clear:
> $VULNTYPE resulting in $IMPACT
> Attacker does X, User does Y (where Y may be 'nothing'), Attacker now pwns Z
That makes it super clear to the person reading your vulnerability report exactly why they should care about this issue and what the impact is to their business.