We learn that even the most critical of vulnerabilities can be identified in this most unusual of places, such as this report, where the reporter identified an SQL injection in an advertising email's subscription section
A spot-on and to-the-point report is always the best way to catch the attention of program owners
A critical vulnerability should be fully exploited to demonstrate environmental impact so that it gets the reporter the maximum bounty