Not sure that I would be seriously pissed, it is at least easily remedied. Obviously they need to fix the missing file, and disable "ASP Debugging" and "Send detailed ASP error messages to client" (I'm assuming its IIS 6.0, its in iis.msc) Crystal Reports have had a few vulns (file deletions,and DoS I think) but I think anyone worth their salt could determine the system is using Crystal without the aforementioned leak. The debugging is something that is clearly useful in development but should not be enabled on a production machine, we are all aware that misconfiguration can be just as dangerous as an application vulnerability, but some people just never learn to RTFM


-Maestr0