I've only submitted two security reports, both for very blatant bugs, and they've booth been closed as "works as intended".

I don't think my bank had intended to make passwords optional, and the third-party administrator of their bug bounty program agreed, when creating the report, but once it made it to the bank, it was up to them to decide if it was or was not a bug.