> This is understandable since ASUS is just a small startup and likely does not have the capital to pay a bounty.

ASUS is not a small startup. It simply and only minds the money they suck FROM customers. There is no other way around to push money TO customers.

But the real point is: how much would be worth selling such an exploit to a malicious agent? Likely more than USD 0.00.

But then again, ASUS doesn't mind about that. Sad truth.

>so I could see if anyone else had a domain with driverhub.asus.com.* registered. From looking at other websites certificate transparency logs, I could see that domains and subdomains would appear in the logs usually within a month. After a month of waiting I am happy to say that my test domain is the only website that fits the regex, meaning it is unlikely that this was being actively exploited prior to my reporting of it.

This only remains true in so far as no-one directly registered for a driverhub subdomain. Anyone with a wildcard could have exploited this, silent to certificate transparency?