My coworkers and I discovered a significant security issue in a popular cybersecurity tool, which shall go unnamed here for reasons that will become obvious.
We reported the issue to the tool's vendor through their bug bounty program on bugcrowd. They ranked it as a P2 issue and paid us $2,000 for it.
It's now about six months later, and the issue still hasn't been fixed, nor have they given us a timeline for when it will be. They've also informed us that under the terms of their bug bounty program we're not allowed to publicly disclose the issue no matter how long it takes them to fix it. UPDATE: I've followed up with them twice since reporting it, expressing increasing agitation over the fact that the issue still hasn't been fixed and it seems likely to me that it is being exploited, and this is what I've been told each time.
The issue was not arcane or difficult for us to discover and reproduce. There has been plenty of public discussion of issues of this type in tools of this type. This makes me worry that they were aware of the issue before we reported it to them, and paid us the $2,000 bounty to "catch and kill" our report, i.e., to prevent us from disclosing it publicly before they fixed it.
I am concerned that hackers may be leveraging the issue in the wild to compromise people's data, and the the tool's vendor is allowing this to continue by not disclosing or fixing the issue.
Even in the existing version of the tool, there is a workaround that can be applied to minimize the impact of the issue, so disclosure would allow people using the tool to protect themselves even before a fix is released. I am therefore increasingly uncomfortable with sitting on my knowledge about this issue rather than publicly disclosing it.
At this point I'd be happy to send a check for $2,000 back to their corporate mailing address and tell them to take their bounty and shove it and then disclose the issue publicly to protect other users of the tool. The problem with this is that we donated the $2,000 to charity -- as we told them we were planning on doing when we reported the issue to them -- so we don't have the money anymore to send back to them.
Does anybody have any advice to offer?