Is anyone else being sick of vendors dismissing clear reports of security issues as “Intended Behaviour”/“By Design” and “not a security issue“?

I’ve even had two claim it’s “theoretical” or “not reproducible” despite screenshots and syntax for a POC tool and advice that there is a private repo for the exploit tool they can be added do.

Lazy triage?

This isn’t aimed at a single vendor. A friend and I have reported one to 4 major vendors who are all vulnerable to the same issue and attack vector and the response from 3/4 so far is as above. Which means that then the other vendor presumably responds in the same way, we will end up disclosing because if we don’t, someone with less scruples/morals will find it and use it anyway - if in fact it has not already been widely used because it’s incredibly simple to do and to deceive defences that just aren’t looking at this attack before at all.