nion's blog

Security companies like coresecurity often notice vendors about found flaws before they are going to publish the vulnerability details to public resources.
Corelabs found a denial of service vulnerability in a product called SuiteLink. I never saw such a big vendor FAIL like in this case:

2008-02-29: Vendor acknowledges reception of the report and states that it understands the seriousness
of the problem and that its development team will look into it.
2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
2008-03-03: Core sends proof-of-concept code written in Python.
2008-03-05: Vendor asks for compiler tools required to use the PoC code.
2008-03-05: ore sends a link to http://www.python.org where a Python interpreter can be downloaded.
2008-03-10: Vendor requests more information about the network and the firewall settings used during the tests and inquires about conformance
(or lack thereof) of the tested network with the vendor's security policies and recommendations.
2008-03-10: Vendor asks for details about how the advisory will be published.
2008-03-12: Core responds that the workstation running the vulnerable service had no firewall activated in the tests, but since the Wonderware
SuiteLink Service allows incoming connections it is assumed that the corresponding port should be allowed to receive inbound session
establishment packets.
...
2008-04-29: Vendor provides an official statement and indicates that versions of SuiteLink prior to 2.0 patch 01 are vulnerable. Multiple
products use SuiteLink.
...read on

Fixing this bug took the vendor 3 months!
(sorry for the bad formatting ;- P