I'm currently in the following situation and need an advice for it:
I've found several security vulnerabilities in the whole product-line of a modem/router vendor. I've reported the vulnerabilities confidentially to the vendor. We got in contact, and they are currently working on updates for their products to be published - some updates are already out. In general I wait for the updates to be publically available before publishing
any information on the issues (responsible disclosure).
A few weeks ago the vendor called me and appreciated the way of dealing with the issues. Then they asked if I would agree with not publishing any information on these issues. Their problem: Most of their customers are not very technically experienced and since there isn't an automatic update-process, most of them just won't update to fix the security issues.
In return they would pay me an amount of money for my effort or sponsor a training like the OSCP.
What to do ? Take the money and shut up ? Give this story to the press ?
Thanks for your ideas! :)