I've come across a vulnerability that secure@microsoft does not think is worth pursuing.
I would estimate that there are many, many customers affected by this issue.
I do not want to start a grassroots campaign to fix this, as that would publish the vulnerability in the process.
What should I do?
You could:
I suppose there are no other ways how you could put your vulnerability fixed. Also, in your recent topic Was the ASP.NET Padding Oracle exploit exposed in an ethical manner? What could have been done differently? you were already pointed to How to disclose a security vulnerability in an ethical fashion?.
One option that's not been mentioned in the earlier answers is engaging with CERT to have the issue raised with the vendor. They have a reporting form on their site and will handle co-ordination with the vendor.
I would personally consider selling it, like Ams said before. Why? They have more reach inside Microsoft (and other such companies) then you and second you get paid for your findings.
And don't worry about publishing the vulnerability, last time I checked web sites like ZDI only release the information after it's been fixed and/or patched.
In addition to @Ams answer (discussion/persuasion and full disclosure, I have no experience with selling them), you could possibly try contacting the product team directly - IF you happen to know who to talk to, or have a contact on the inside...
I too have found that often the MSRC are bit more resistant to accepting vulns than the product team, and once I had them work with MSRC to get them to take it (though at the time I was working with the product team already, so ....)
