Josha, >>I encouraged the vendor to begin their own investigation. They ignored this, and again stated that they would await my results.<< 1. If you feel confident in your ability to exploit it then my opinion is that you offer to do the investigation at an hourly fee. (Make sure you get written documentation to any agreement with said vendor) Your time is valuable and _they_ are the responsible party for tracking it down and fixing it -- not you. So if they want you to track it down, they should pay you. Otherwise: You plainly inform them that you will be releasing the advisory in two weeks or one month and give them the date of release. Nathan.
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 14:00:36 PST