[corty]

> I personally know at least 5 exploitable vulnerabilities in some government websites, but I won't be disclosing them, since that will land me in a lot of trouble.

Thats what full disclosure is for. Drop the vuln somewhere via Tor, maybe point someone there via some anonymous comunique. Et voila, you made the world a safer and better place.

Imho sitting on vulnerabilities is immoral as long as anonymous full disclosure is possible.

[Nextgrid]

This might be dangerous if you initially planned to disclose responsibly and did the research/testing of the vulnerability without anonymization. In that case if you were to release the vulnerability anonymously and it wasn't exploited before they could still figure out that you did it by examining the logs and finding your early non-anonymous attempts.

[ice3]

Right, and there's no possibility to do research/testing anonymously anyway. You use your personal e-Signature/ID card to logon to government sites, your logon is always tied to you.

[willcipriano]

It's possible that the programmers who built the system are really bad at security and really good at audit logging but I doubt it. Personally I would take the risk but I understand why others might not want to.

[Mandatum]

One of the first things I've recommended with systems that deal with PII or secret data is to see if the vulnerability being reported or discovered has been exploited in the past.

Many different hops will log things like HTTP paths, which include GET information - or DB audit logging which can easily be traced with message ID's or timestamp comparisons. It's surprising how easy it is to trace issues, debug logging is often left on in Production systems..

I wouldn't take that risk.