Something “operating as designed”, if designed incorrectly, is still broken.

Something that doesn’t “corrupt, modify or delete data” but does “leak” sensitive data to potential attackers, is still a serious exploit.

This is worryingly full of error-by-omission statements.