I once tested a password reset feature.
Everything worked.
Emails sent correctly.
Tokens expired properly.
But out of curiosity I tried something strange.
I requested 100 password resets in 10 seconds.
The system happily sent them all.
That meant anyone could spam users with reset emails.
Not a typical functional bug.
But definitely a security and abuse issue.
Sometimes testing means asking unusual questions like:
"What happens if someone abuses this feature?"
QA is not just about correctness.
It's about resilience.
Have you ever tested rate limits intentionally?
