Alright, I'll ask it again in public.
How can I privately report vulnerabilities that I found in Sandboxie?
I wrote a letter to firstname.lastname@example.org and I got: "We only handle licensing questions." I messaged Barb@Sophos, and she said that issues and security problems are handled in the forums.
I don't think it's a good practice to post vulnerabilities on public forums — it simply means full disclosure. One of the issues I am planning to report is an Elevation of Privileges that can be pretty severe for an enterprise environment. I'll report it and request a CVE ID for it as soon as I create a working proof-of-concept. So, I want to contact with your development team to make sure they have time to fix it.
Do you really want me to post everything on a public forum, effectively making it a zero-day exploit?
Just go ahead and post it here, so at least the few of us that are left can know what to look out for. Sophos won't do anything about it. Doubtful they even could.