# The Thirsty Horse and the Security Bug Once upon a time, in the vast open plains of AppSec, there was a strong, healthy horse. This horse wasn’t just any horse - it was **a [security issue](https://highspot.atlassian.net/browse/HS-53408)**. Newly discovered, it ran wild and free, living its best life under the care of an entire team of AppSec engineers. It had attention, it had priority, it had momentum. But then, something strange happened. The horse **stopped drinking water**. Despite being surrounded by a whole **watering hole of engineers**, it refused to hydrate. The issue entered triage, got assigned, then reassigned, and before long, it was **just standing there, staring into the distance**, contemplating the meaning of life (or perhaps just waiting for someone to acknowledge its existence). I saw this happening and **grabbed the reins**. “Come on, buddy,” I said. “Let’s go drink some water.” But the horse dug in its hooves. The ticket bounced from **one team to another**, each crew patting the horse on the back and saying, “Yeah, we should really fix this,” before **nudging it further down the road** like some kind of security hot potato. **The neighbors started noticing.** One neighbor - a concerned QA tester - walked up and whispered, “Hey, uh… is that horse okay? It doesn’t look great.” Another neighbor - let’s call them **Engineering Leadership -** sighed, grabbed their metaphorical shotgun, and asked, **“Do you want me to just put it down?” (close it)** **“No, no, no! It just needs water!”** I protested, yanking at the reins again. Finally, someone on the team **tied a lead rope around the horse’s neck** (aka, assigned the issue properly, added some new labels, some new crews, some new Epics). “Alright, let’s see it,” they said. “Can you **reproduce the problem again**?” “Sure,” I said, demonstrating the issue. “Ah, got it. But can you… do it **one more time**?” I sighed, but I did it. At this point, the horse was on its **last legs**, dry as a compliance policy. I was **dragging** it toward the water, **begging** it to drink. And then…**The horse got kicked.** Over. And over. And over again. For two hours. It gasped, it wheezed, and then, finally, with a final dramatic shudder… **it died.** Not because it starved. Not because I gave up. But because **an engineer finally ran the code I gave them and realized the entire time that it was an OAuth token, not a the basic token pair.** **“Ohhhhhh,” they said.** Yeah. Oh. The moral of the story? You can **lead a security issue to engineers**, but you **can’t make them read the issue and run the sample script.**