I’m a software developer that would like to move to a career in security and I started searching vulnerabilities in open source projects to have something interesting to put on my resume. After discovering some low impact vulnerabilities I’ve found a big one (an unauthenticated RCE). I agreed with the maintainer to not disclose the exploit, but I appreciated being credited about the vulnerability on the GitHub security advisory. The CVE has been published and I’ve seen that after a few days someone was able to reproduce the attack despite the lack of details, however their reports are not so easy to find on search engines.
Today I received an email by someone that found my address from my GitHub profile and says to be a computer science student that would like to know more about the vulnerability I’ve discovered. I think he is just someone that is not able to understand the vulnerability looking at the commits and is searching an exploit easy to use. However now I’m a bit concerned about this kind of attention, since my GitHub profile contains my real name and other information about myself, like the LinkedIn profile. I would like to know if you had similar experiences and if you would use a pseudonym when you choose to not disclose all the details. Have you been able to build a career in cybersecurity while keeping a good level of anonymity about your researches? Have someone ever tried to extort an exploit from you? Would you reply to the “student”?