I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty: Wait half a year until a vulnerability is patched is considered fine. In the bug bounty field these are considered fine: Wait more than month until a submitted vulnerability is verified and a decision t