The defining characteristic of vulnerability reporters is that they originate the message that informs a vendor or coordinator of a vulnerability. In most cases, the reporter is also the finder of the vulnerability. However, this is not always the case. For example, the finder might be an employee at an organization that also has in-house vulnerability coordinators who act as the communications liaison with the affected vendor(s).
Alternatively, it could be that someone analyzing a piece of malware realized that it exploited a previously undisclosed vulnerability. In both cases, the party communicating the vulnerability information to the vendor is not the original finder. That said, whether or not the reporter is the original finder is often not as relevant as whether the newly provided information is sufficient to determine the existence and impact of the problem reported.
< 3.1. Finder | 3.3. Vendor >