The bit I was replying to was a hypothetical situation where QA does, for some reason, find the flaw but management rejects it because it doesn't match a bullet point in the requirements. My point was just that if that's not in the requirements then you have even bigger problems. I never claimed or even implied (because I don't believe) that writing down that requirement would actually achieve anything.