vulnerability disclosure response time
Thursday, March 5th, 2009A few months ago I found a XSS vulnerability in a product used by many people. I contacted the vendor, which happens to be a very large entity. (No, it’s not Microsoft, but that’s the only hint I’ll give). Here’s the timeline of what’s happened so far:
- Dec 18 2008 – I send an email informaing them of the problem, and showing them what was needed to replicate it.
- January 8 2009 – They sent me a response saying they were “evaluating and will get back to me”.
- Feb 12 2009 – I send a followup email asking what’s going on.
- March 5, 2009 – I get a response saying that they have verified the issue, and are working on a fix.
So, does this seem like a reasonable timeline? Should I be pushing harder? This isn’t the biggest vulnerability in the world, but it still seems like something that should be fixed, and the fix shouldn’t be that hard.
