The vendor had been very non responsive to previous security requests so there was no real incentive to report it to them either. Eventually ZDI came along and we pushed the bug to them for quite a bit more than the iDefense offer. Even though 3com pays very well, after splitting a payout between 2 researchers that had to pay uncle sam via 1099 it often seems like a waste of time.
I do not know the going rate for a years worth of iDefense Corp updates or a years worth of support for ZDI's IDS but I would have to expect that these companies are profiting far more than the average researcher that submits to them. How about the free QA that the vendors get... how much is it per license for some of these products, can't they collaborate with folks like ZDI or iDefense to get some better incentives going ? At this point ... like I said its almost not worth selling to these sorts of companies.... uncle sam is a friggin hound over 1099 money.
-KF
Me, for example, if I were capable of of finding such vulns, I wouldn't sell them to the guys writing the drive-by spyware installers. I might sell it to iDefense or Tippingpoint, though. BB