So its now been 20 days since finding and disclosing a criticial SQL injection issue that has the potential to affect 20,000 websites. See my first post here.
I have bounced a few E-Mails off the CEO, and he has kept in touch, however, nothing yet. So that means I have now left 20K of websites at risk for 20 days and counting…
The bigger players (Microsoft, Cisco etc) with more experience have procedures in place to deal with security issues like this, so "responsible" disclosure makes sense, but by the time this advisory is released, I would have spent the same amount of time (if not more) disclosing the vulnerability then actually researching the vulnerability.
These things are never as black and white as they first appear.