Researcher Reports Silent Patch of Critical RCE Vulnerability Without Credit

The author of the post reports having discovered a critical Remote Code Execution (RCE) vulnerability in a paid product (costing $500–$2,000 per month) and disclosed it via GitHub Security Advisory (GHSA) three weeks ago. The maintainer has not responded to their messages or acknowledged the report but silently patched the vulnerability without mentioning the flaw in the release notes, assigning a CVE, or crediting the researcher. The author is considering publishing a technical analysis or requesting a CVE directly through MITRE to obtain official recognition. They note having ultimately contacted MITRE to avoid potential legal repercussions.