> Unfortunately, sometimes companies are non-responsive. At that point, I have a few options. I can sell the vulnerability to someone else who will certainly exploit it. I can just let it sit -- maybe the bug will be fixed by coincidence or become obsolete, or maybe I'll find another use for it later. (I have a large collection of sitting vulnerabilities, some dating back decades.)
This sounds so interesting to me to hear about. Can anyone recommend a podcast where like-minded engineers discuss things like this? I'd love to vicariously live through their hacking adventures.
Sitting on bugs is just being an asshole, not a great adventure. In most cases there really isn't that much to tell anyway: you find a bug, either on your own or in a customer project, and for some reason it doesn't get fixed. Perhaps management accepts the risk and you're bound by an NDA. Perhaps you plan to make a patch so people can also update when you publish but you haven't found the time for the patch and so it continues (I know of a denial of service in nextcloud like this: it's trivial to find (go ahead) and out of scope for their security program so nextcloud tells us it's a wontfix; we're still meaning to release a patch but it has been two months now, though it's only denial of service anyway). If the bug just so happens to be useful in the future, it's like using a public bug except you're the only one knowing it and you can feel real proud of yourself for putting everyone at risk during that time.
This sounds so interesting to me to hear about. Can anyone recommend a podcast where like-minded engineers discuss things like this? I'd love to vicariously live through their hacking adventures.