I would consider it a vulnerability since it can be abused by attackers.
In your example, as long as the input is trusted, I would also not mark the website as vulnerable. However, if the input is controlled by users and thus not trusted (as is the case here), the website would be vulnerable to phishing attacks.
For example, read more here:
An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.
Another example would be if our Markdown engine would not already sanitize the
()
part, XSS would be possible using this:
[https://stacker.news/items/194732](javascript:alert(1))
Github just doesn't apply the formatting in this case.
So I don't think it's a big difference between XSS like this and allowing malicious links to consider something a vulnerability or not.
reply
[]
part of[]()
. I think it is reasonable compromise.