I have found a vulnerability in a local vendor's product, who wasn't found in MITRE's CNA table.
I intend to email the vendor first, report it to my local government's vulnerability program and then request MITRE for a CVE-ID. However, I have three questions on the subject.
- In the event of the vendor not acknowledging my findings (the chances of this happening is pretty high), and a CVE-ID gets assigned, can I still publish the exploit code to exploit-db.com?
- Can I publish a writeup on how I have found the vulnerability once a CVE ID is assigned?
- On MITRE's website, they says that the researcher who request a CVE-ID won't be credited. Is there any way that I could get credited for the vulnerability I found?
This is my first zero day and I don't know how to proceed further as different websites propose conflicting information on this. Kindly guide me on how to report this.
PS: I am not looking for bounty money; I'm just trying to mark my humble presence into the vast cyber security world.