I have found a vulnerability in a local vendor’s product, who wasn’t found in MITRE’s CNA table. ~~Also, there is~~ ~~no Vulnerability research programs in my country AFA my research went~~.
*Edit: There is, but the application procedure is terrible. Looking into it.*
I intend to email the vendor first and then request MITRE for a CVE-ID. However, I have three questions on the subject.
1. In the event of the vendor not acknowledging my findings (*the chances of this happening is pretty high*), and a CVE-ID gets assigned, can I still publish the exploit code to [exploit-db.com](https://exploit-db.com)?
2. Can I publish a writeup on how I have found the vulnerability once a CVE ID is assigned?
3. On MITRE’s website, they says that the researcher who request a CVE-ID won’t be credited. Is there any way that I could get credited for the vulnerability I found?
This is my first zero day and I don’t know how to proceed further as different websites propose conflicting information on this. Kindly guide me on how to report this.
PS: I am not looking for bounty money; I’m just trying to mark my humble presence into the vast cyber security world.