A few months ago I found a XSS vulnerability in a product used by many people. I contacted the vendor, which happens to be a very large entity. (No, it’s not Microsoft, but that’s the only hint I’ll give). Here’s the timeline of what’s happened so far:

• Dec 18 2008 – I send an email informaing them of the problem, and showing them what was needed to replicate it.
• January 8 2009 – They sent me a response saying they were “evaluating and will get back to me”.
• Feb 12 2009 – I send a followup email asking what’s going on.
• March 5, 2009 – I get a response saying that they have verified the issue, and are working on a fix.

So, does this seem like a reasonable timeline? Should I be pushing harder? This isn’t the biggest vulnerability in the world, but it still seems like something that should be fixed, and the fix shouldn’t be that hard.

Tags: disclosure

This entry was posted on Thursday, March 5th, 2009 at 1:45 pm and is filed under general. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.