If you believe you're aware of any security issues with WordPress core itself, Automattic is running a Bug Bounty program over on HackerOne here: https://hackerone.com/automattic/ -- responsible disclosure, bug bounties, and making the web a safer place is awesome.
So you are implying that there are no honest people out there, and on top of that everyone that finds a vulnerability has the guts and resources to make money off a 0day bug?
What's so hard in making money off 0days? Especially in this day and age of SilkRoute clones and Cryptocurrencies.
I was under the impression that a big reason why 0day exploits are not popping up all over is because the folks who discover them can now sell them (for way more than any bounty program), whereas earlier the only way to monetize was to use them as advertisement for selling your skills. Instant payment vs Contractual jobs. I'd say now the 0day vulns end up in the hands of professionals (criminal networks/state actors) rather than script kiddies.
