Pentesters: there’s a fine line between diligence and being freaking annoying. Last year a tester found that our auth provider’s SDK generated a sensitive one-time-use URL for our client to connect to their server with, over TLS. I’m still dealing with this dumb finding, which pissed me off so badly that I fired the testing firm and switched to someone else this year.
Do be diligent, but don’t pick stupid hills to die on.