    I found a vulnerability in a product and have contacted the company regarding it. The vulnerability would allow a remote attacker to read any file on the system. The example I sent them downloaded the SAM database. The reponse I received was that they would like to wait to release the fix in the next version which is slated to be out in a few months. Is this the way companies usually handle these types of things? I figured they would be much quicker in putting out a patch to fix it. Maybe they're taking lessons from Microsoft?

    Hmmm I figured they would just put out a patch as in my eyes it would be quicker. Aslo when they put out the next version are they goinng to give you a free copy seeing how you found the vuln or are they goingn to make you buy it. I think you should get a free copy or something seeing how you did find it and notify them about it.


    Yeah, but patches don't make money. Making people buy the latest slightly modified version does. Gotta love it.

    so if you found it, means someone else not so honest could have found it also. your not telling them to protect their ass and help them sell their product but to protect those that have already bought it. give them a reasonable time frame in which to create a patch and let them know your going to release it when that time is up. how many have to loose so they can save.
    Making people buy the latest slightly modified version does. Gotta love it
    Not only that, but when there's the need for constant updates/modifications/etc you can make a WHOLE lot of money, especially in microsoft's case.
