This happens all too often
As a frequent participant in bug bounties.... I come across this often... and then some.
You either get :
a) This is not a bug - this a FEATURE!
b) We don't regarde this as a security risk
and
c) Oh that's out of scope now...
I remember I was testing a well known sandboxing program that was touting how it could stop cryptolocker dead in its tracks. It has a tick box which says "deny all internet access" for the sandboxed program, but what I found out was it forgot about SMB protocol so your sandboxed program could do bypass these restrictions like this: \\www.yoursite.com\fileyouwanthere$ and it bypassed the restrictions and went to fetch that file (not to mention the DNS queries were also treated so DNS exfiltration was allowed too). Response from vendor -> We know about this, it's supposed to be like that...
So I go back in and keep looking... find that I can keylog from processes that are OUTSIDE the sandbox from within it... ooh nice. Submit it -> Scope is suddenly changed to "Our sandboxing program is not supposed to protect against keyloggers"...
After that I found a way to pivot into a system level process outside the sandbox from within it, and you know what? I just thought "screw these guys" and just didn't submit it......
