One of my tasks at IOActive Labs is to deal with vulnerabilities; report them, try to get them fixed, publish advisories, etc. This isn't new to me. I started to report vulnerabilities something like 12 years ago and over that time I have reported hundreds of vulnerabilities - many of them found by me and by other people too.
Since the early 2000's I have encountered several problems when reporting vulnerabilities:
- Vendor not responding
- Vendor responding aggressively
- Vendor responding but choosing not to fix the vulnerability
- Vendor releasing flawed patches or didn't patch some vulnerabilities at all
- Vendor failing to meet deadlines agreed by themselves