Last time I reported a security issue to Microsoft I got reply same day and a confirmation that it was in fact an issue some day later. And then a few days later they notified me that my report was eligible for a bounty (I didn't have to ask).
This was the opposite experience of my previous report where the bug was acknowledged 9 months later and then fixed another 3 later.
I wonder if it just depends on whether your report ends up in a escalation path with lots of busy people.
This was the opposite experience of my previous report where the bug was acknowledged 9 months later and then fixed another 3 later.
I wonder if it just depends on whether your report ends up in a escalation path with lots of busy people.