Comment by apublicfrog
12 hours ago
The author quite clearly outlines their reasoning for this in the article:
> Carrot Disclosure, dangling a metaphorical carrot in front of the vendor to incentivise change. The main idea is to only publish the (redacted) output of the exploit for a critical vulnerability, to showcase that the software is exploitable. Now the vendor has two choices: either perform a holistic audit of its software, fixing as many issues as possible in the hope of fixing the showcased vulnerability; or losing users who might not be happy running a known-vulnerable software. Users of this disclosure model are of course called Bugs Bunnies.
Seems like grandstanding bad faith to me. They didn't even bother to follow the established disclosure policy for this project because the author feels this quality of the code is so crap, so instead does this...