I particularly hate their initial request because it's so asymmetric in the amount of effort.
In my experience (from maybe a dozen disclosures), when they don't feel like taking action on your report, they just write a one-sentence response asking for more details. Now you have a choice:
A: Clarify the whole thing again with even more detail and different wording because apparently the words you used last time are not understood by the reader.
B: Not to waste your time, but that leaves innocent users vulnerable...
My experience with option A is that it now gets closed for being out of scope, or perhaps they ask for something silly. (One example of the latter case: the party I was disclosing to requested a demonstration, but the attack was that their closed-source servers could break the end-to-end encrypted chat session... I wasn't going to try hacking their server, and reverse engineering the protocol to create a whole new chat server based on that and then recompiling the client with my new server configured, just to record a video of the attack in action, was a bit beyond my level of caring, especially since the issue is exceedingly basic. They're vulnerable to this day.)
TL;DR: When maintainers intend to fix real issues without needing media attention as motivation, and assuming the report wasn't truly vague to begin with, "asking for more details" doesn't happen a lot.
In my experience (from maybe a dozen disclosures), when they don't feel like taking action on your report, they just write a one-sentence response asking for more details. Now you have a choice:
A: Clarify the whole thing again with even more detail and different wording because apparently the words you used last time are not understood by the reader.
B: Not to waste your time, but that leaves innocent users vulnerable...
My experience with option A is that it now gets closed for being out of scope, or perhaps they ask for something silly. (One example of the latter case: the party I was disclosing to requested a demonstration, but the attack was that their closed-source servers could break the end-to-end encrypted chat session... I wasn't going to try hacking their server, and reverse engineering the protocol to create a whole new chat server based on that and then recompiling the client with my new server configured, just to record a video of the attack in action, was a bit beyond my level of caring, especially since the issue is exceedingly basic. They're vulnerable to this day.)
TL;DR: When maintainers intend to fix real issues without needing media attention as motivation, and assuming the report wasn't truly vague to begin with, "asking for more details" doesn't happen a lot.