Oh I agree.. however some clients are more twitchy than others 🙂 - I understand the need to be slightly vaugue about the nature of these things but a flag "only is a vulnerability if you can login to the backoffice" would be a great addition to the notice if possible.