This file has been truncated. show original
I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty:
1) Wait half a year until a vulnerability is patched is considered fine.
2) In the bug bounty field these are considered fine:
1) Wait more than month until a submitted vulnerability is verified and a decision to buy or not to buy is made.
2) Change the decision on the fly. Today you figured out the bug bounty program will buy bugs in a software, week later you come with bugs and exploits and receive "not interested".
3) Have not a precise list of software a bug bounty is interested to buy bugs in. Handy for bug bounties, awkward for researchers.
4) Have not precise lower and upper bounds of vulnerability prices. There are many things influencing a price but researchers need to know what is worth to work on and what is not.
3) Delusion of grandeur and marketing bullshit: naming vulnerabilities and creating websites for them; making a thousand conferences in a year; exaggerating importance of own job as a security researcher; considering yourself "a world saviour". Come down, Your Highness.
I'm exhausted of the first two, therefore my move is full disclosure. Infosec, please move forward.
## General Information
**Vulnerable software:** VirtualBox 5.2.20 and prior versions.
**Host OS:** any, the bug is in a shared code base.
**Guest OS:** any.