I recently reported a security issue in an API to a major tech vendor (not Google) and was shocked to get a reply from a "security analyst" at the firm who basically said it was a non-issue because it didn't occur when they went to the API url in their web browser.

It's baffling that tech firms seem to have people without strong technical aptitudes responsible for incoming security reports.