Ask HN: MSRC silently patched my report (Status: "Complete") but denied bounty?
TL;DR: MSRC admitted via email that they "addressed the issue technically," moved the case status from "Develop" to "Complete" (Fixed), but still denied the bounty claiming it was "Content Policy."
Is this "silent patching" behavior common with MSRC recently? It feels like they used the report to patch the product but labeled it "invalid" to save budget. Full evidence & screenshots here: https://x.com/HoangMon158316/status/1993121590939467827?s=20
If you expected a bounty then you made a mistake posting the goods upfront. Sorry.
I submitted this privately via the MSRC Portal and followed CVD guidelines for over 90 days. I spent months appealing and emphasizing the technical severity to them. The result was always the same: They admitted the technical fix (Status: Complete), but refused the bounty claiming 'Content Policy'. I am only sharing this now because I have exhausted all internal appeals and they stopped responding.