Tippingpoint, which operated the "Zero Day Initiative" bug bounty program released 22 vulnerabilities for which no patch is available . Last year, Tippingpoint announced that they will release details 180 days after they are aware of a bug, even if the vendor has not yet released a patch.
The details released include a one paragraph description of the vulnerability, which in itself is usually not enough to come up with an exploit, but it may provide a pointer to re-discover the vulnerability.
 http://www.zerodayinitiative.com/advisories/published/Defending Web Applications Security Essentials - SANS Brussels September 2019
Feb 8th 2011
8 years ago