Alright, I'll ask it again in public.
How can I privately report vulnerabilities that I found in Sandboxie?
I wrote a letter to firstname.lastname@example.org and I got: "We only handle licensing questions." I messaged Barb@Sophos, and she said that issues and security problems are handled in the forums.
I don't think it's a good practice to post vulnerabilities on public forums — it simply means full disclosure. One of the issues I am planning to report is an Elevation of Privileges that can be pretty severe for an enterprise environment. I'll report it and request a CVE ID for it as soon as I create a working proof-of-concept. So, I want to contact with your development team to make sure they have time to fix it.
Do you really want me to post everything on a public forum, effectively making it a zero-day exploit?