| Much more than 12 days. Below is a copy/paste of a recent security vulnerability timeline: 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities 2015-12-14 | dotCMS > me | they were planning fixes in upcoming
release, estimated to beginning of 2016 2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040
still not fixed) 2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities? 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which
is estimated to be out in mid-April 2016-04-19 | dotCMS | dotCMS version 3.5 release 2016-05-10 | dotCMS | dotCMS version 3.3.2 release 2016-10-31 | me | Full Disclosure on http://security.elarlang.eu Source: http://seclists.org/fulldisclosure/2016/Nov/0 This timeline from first report to full disclosure was 10.5 months. Note that I did not go looking for a long timeline, this was the first item when I Googled "CVE disclosure timeline." --Donald |