I finally began reading Ross Anderson's Security Engineering book and came across a passage which notes that in 2012, Anderson heard that a volunteer working on WebKit was caught deliberately contributing vulnerable code which could later be sold to an exploit vendor.
I have found next to nothing about this online. Only Ross' testimony in a US court case: https://committees.parliament.uk/writtenevidence/61727/html/
For example, I learned in 2012 that a volunteer to the Webkit free software project, which develops and maintains graphics software for use in browsers, had been discovered trying to sneak a vulnerability into the software, with a view to selling it later.
Does anybody else know further details of this? Given the recent xz/openssh backdoor attempt, I would be interested hearing what happened here.
