At what point does it become more sensible to black hat these zero days? If the company you are helping out isn't willing to give you more than the finger for your help it seems like you're the fool in that arrangement.
Nobody is buying this vulnerability. If you're unhappy with how a bug bounty program is structured, you should absolutely just post the vulnerability. That's a longstanding norm.
What makes a vulnerability saleable? Is this one not valuable because the government clients of someone like Memento Labs don't care about a MITM attack on desktop computers?
Generally the vulnerabilities you can sell for money are ones that somebody can easily use to make money, as part of an existing money-making scheme they have.
If the vuln can’t be used to make money, or the way it makes money requires that a criminal enterprise make up a whole new set of workflows, it’s not going to have much of a market.
After this disastrous AMD PR, many who find a new vuln will be asking exactly that question. As a result of that, many who are buying CPUs will know how seriously AMD takes security and prompt, correct vuln fixing.
Once again, the AMD motto applies: they never miss an opportunity to miss an opportunity.
Pretty much never unless you live in a jurisdiction that won't punish you or send you to the appropriate people to be punished. If you're Russian and want to never step foot out of Russia and only attack American systems, you can do it.
Feeling grumpy today, I guess.
If the vuln can’t be used to make money, or the way it makes money requires that a criminal enterprise make up a whole new set of workflows, it’s not going to have much of a market.
Once again, the AMD motto applies: they never miss an opportunity to miss an opportunity.