[GrahamsNumber]

Maybe he was, maybe he wasn't, only he knows. But when you're running 100000 websites, you should Google yourself once in a while at least. Besides, this isn't some 0-day, it's some extremely basic SQL injection vulnerability. This company wasn't capable of doing extremely basic security, and should be out of business. This is the kind of company that stores your passwords in plaintext. He doesn't seem to have done anything since he was notified either (see Phil's comment)

[elliottcarlson]

Oh, I'm definitely not disagreeing that the company was irresponsible in their coding practices and having found the previously released notices on their own - they are certainly at fault for that negligence - and if they have indeed been notified before, then they are even worse of a company; but I still think the Sam didn't approach the disclosure properly, but that's just an opinion.