I enjoy looking for security bugs in programs. However, it is really hard to justify the time it takes to test for, locate, and analyze any bug that I might find - especially when that time could be better spent doing something more tangibly productive. There is no denying that the research would be worth something to the vendor, but at this time there really is no system in place that compensates free-lance researchers for their efforts. So, how do I turn my findings into something I can support my family with?
In this particular case, I sold my research to an interested party. Now you might be thinking, "To who? And what will they use it for?" Well, rest easy - the buyer was an security firm who wanted an undisclosed vulnerability for their internal training and research. It's use will help others understand the issues surrounding full/responsible disclosure and why it is important. From here, who knows...it is in their hands now!
The vendor was informed, with a typical non-response. I am going to discuss and demonstrate the vulnerability with a local representative soon, but beyond this it will remain off any full-disclosure list and out of the publics attention.
Why does any of this matter? Well, I think the researcher community is becoming more business smart. We have seen this in the malicious hacker community for sometime - which is why botnets are rampant and prank hacks are not. This same evolution of purpose is migrating over to the business side and is causing researchers to reconsider why they are just giving it all away.