I found a vulnerability in a product and have contacted the company regarding it. The vulnerability would allow a remote attacker to read any file on the system. The example I sent them downloaded the SAM database. The reponse I received was that they would like to wait to release the fix in the next version which is slated to be out in a few months. Is this the way companies usually handle these types of things? I figured they would be much quicker in putting out a patch to fix it. Maybe they're taking lessons from Microsoft?