Operation system's security depends a lot on the way developers handle privileged operations. Is it easy to make a mistake? Is the recommended way actually better than a deprecated API?
Recently, we gained insight into these questions during our company's bug bounty program, which led to some surprising conclusions.