Can I publish an exploit code to after a CVE ID gets assigned?

I have found a vulnerability in a local vendor's product, who wasn't found in MITRE's CNA table.

I intend to email the vendor first, report it to my local government's vulnerability program and then request MITRE for a CVE-ID. However, I have three questions on the subject.

  1. In the event of the vendor not acknowledging my findings (the chances of this happening is pretty high), and a CVE-ID gets assigned, can I still publish the exploit code to
  2. Can I publish a writeup on how I have found the vulnerability once a CVE ID is assigned?
  3. On MITRE's website, they says that the researcher who request a CVE-ID won't be credited. Is there any way that I could get credited for the vulnerability I found?

This is my first zero day and I don't know how to proceed further as different websites propose conflicting information on this. Kindly guide me on how to report this.

PS: I am not looking for bounty money; I'm just trying to mark my humble presence into the vast cyber security world.

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s