In November, Catalin Cimpanu reported that Russian researcher, Sergey Zelenyuk, had publicly disclosed a VirtualBox 0day instead of first disclosing the problem to Oracle or working through a bug bounty platform. Curious to see what Zelenyuk’s justification for his actions would be, I found that his explanation mirrored what others had been telling me about growing dissatisfaction with bug bounty programs. Zelenyuk said: