Recently I had a plumber in to do a minor toilet repair, the sort of thing that YouTube videos had convinced me that even klutzy me could fix myself – if only the shutoff valve for the water supply had not seized up. I tried the suggestions for unsticking the value, no joy. So my options were (1) try to apply more leverage myself, with some sort of wrench (2) get my husband the Strong Guy to do that or (3) call in a trained professional, who knew how much force could be safely applied, and had the training and truck full of equipment to cope if something went wrong. I went for (3) because though I’m pretty sure Tom could have made that handle turn, I was not willing to risk him (or me!) breaking the pipe and flooding the house. (Long ago, exasperated with him for some reason, I wailed “what planet are you from?”, and without missing a beat, he replied “Krypton”. Right.) Plus, I had no sense at all of the actual probabilities for valve getting unstuck vs broken pipe, so I arbitrarily assigned “high” to the broken pipe scenario.
When I report a bug, often it is pretty obvious how urgently it needs to get fixed, but not always, and that question is harder to answer if the bug in question is intermittent. What’s the worst consequence if a live customer hits the bug, and how likely is that to happen?
The problem with the “how likely is it to hit” issue is that it can be hard to judge, customer usage patterns can vary a lot. And even if the probability is once per umpteen gazillion, well, when dealing with modern high volume transaction processing, that might mean you hit the problem twice a day.
Worst consequences should either be obvious, or understandable after a little thought. If the immediate reaction is that the worst consequences aren’t all that bad, consider thinking about it a bit more, especially in regards to combining with other possible unfortunate events or conditions. (Like, bug leaves a valuable resource exposed, but only on the internal network … but if the internal network has been cracked, is that resource a likely target?)