[ed25519FUUU]

> Unfortunately, sometimes companies are non-responsive. At that point, I have a few options. I can sell the vulnerability to someone else who will certainly exploit it. I can just let it sit -- maybe the bug will be fixed by coincidence or become obsolete, or maybe I'll find another use for it later. (I have a large collection of sitting vulnerabilities, some dating back decades.)

This sounds so interesting to me to hear about. Can anyone recommend a podcast where like-minded engineers discuss things like this? I'd love to vicariously live through their hacking adventures.

[lucb1e]

Sitting on bugs is just being an asshole, not a great adventure. In most cases there really isn't that much to tell anyway: you find a bug, either on your own or in a customer project, and for some reason it doesn't get fixed. Perhaps management accepts the risk and you're bound by an NDA. Perhaps you plan to make a patch so people can also update when you publish but you haven't found the time for the patch and so it continues (I know of a denial of service in nextcloud like this: it's trivial to find (go ahead) and out of scope for their security program so nextcloud tells us it's a wontfix; we're still meaning to release a patch but it has been two months now, though it's only denial of service anyway). If the bug just so happens to be useful in the future, it's like using a public bug except you're the only one knowing it and you can feel real proud of yourself for putting everyone at risk during that time.