How should I escalate a vulnerability that is dismissed by the vendor?

You could:

  1. try to persuade why this vulnerability is so severe and what consequences customers may have;
  2. try to sell to companies like ZDI;
  3. go full disclosure - provide detailed description and solution, e.g. patch;

I suppose there are no other ways how you could put your vulnerability fixed. Also, in your recent topic Was the ASP.NET Padding Oracle exploit exposed in an ethical manner? What could have been done differently? you were already pointed to How to disclose a security vulnerability in an ethical fashion?.


One option that's not been mentioned in the earlier answers is engaging with CERT to have the issue raised with the vendor. They have a reporting form on their site and will handle co-ordination with the vendor.


In addition to @Ams answer (discussion/persuasion and full disclosure, I have no experience with selling them), you could possibly try contacting the product team directly - IF you happen to know who to talk to, or have a contact on the inside...
I too have found that often the MSRC are bit more resistant to accepting vulns than the product team, and once I had them work with MSRC to get them to take it (though at the time I was working with the product team already, so ....)