So, I discovered a vulnerability in a vendor’s software which I reported to them on January 18, 2008 to which they responded the same day.
All well and good.
Yes, it’s that blasted disclosure discussion again. Now, of the vendor’s I have dealt with up until now (save one other) the turnaround time has been phenomenal. They have been all easy to work with and I was more than willing to accommodate their time lines so that they could get their products fixed up.
No problem.
Well, I got this email from them today. Let’s call them vendor “X”. In response to my email checking in about our previously agreed upon June release,
The update from the dev team is that they now expect that we will have all updates for impacted products available in November. It turns out that we will have to update all supported products which use [the software in question], and that the fix will need to be localized for our international customers.
I should point out that they indicated that they would have to fix the international versions of said software when they wrote me back in January.
I have to say my good will is sparse at the moment.
Granted this will affect a wide array of their products but, November? Am I being too harsh? I’m wondering whether or not to post it anyway. Not a path that I would normally consider as I like to try and play nice but, almost a year to fix the problem seems rather excessive.
What would you do?