2015-08-15 - Issue Discovered
2015-08-15 - Auto-acknowledgement, Issue ##2362921 created
2015-08-20 - Vendor pinged
2015-08-20 - CVE Requested
2015-08-24 - Vendor acknowledgement, Issue ##7283732 now assigned
2015-09-08 - Ping CVE regarding assignment
2015-09-24 - #7283732 closed w/o explanation
2015-09-24 - Mail vendor asking why, and what the disposition is
2015-09-25 - Vendor auto-opens a new ticket ##2456074
2015-11-24 - Ping vendor for update
2015-12-21 - Ping vendor for update
2016-02-17 - Ping vendor for update
2016-02-17 - Vendor auto-opens a new ticket ##2780684
2016-02-22 - Vendor says dev could not reproduce originally and closed ticket, asked for vulnerable URLs again
2016-02-22 - Resent info with additional information about XSS vulnerability exploitation
2016-03-10 - Vendor replies that they are still analyzing the issue
2016-03-18 - Tenable emails a new security contact asking for help resolving this
2016-04-14 - Ping vendor for update
2016-04-14 - Vendor auto-assigns ##7404496 and ##7404497
2016-04-25 - Vendor closes ##7404497## as they "have not heard from us".
2016-04-25 - Reply sent requesting assistance and providing this timeline
2016-04-25 - Vendor acks mail confirming ##7283732 was resolved. Re-sent timeline again to show lack of resolution
2016-04-27 - Vendor says it will be fixed end of May, will notify us when patch available.
2016-06-22 - Ping vendor for update
2016-06-22 - Vendor auto-opens two new tickets, ##7440149 and ##7440150
2016-06-23 - Vendor provides configuration-based workaround
2016-06-29 - Tenable informs vendor we will test ASAP
2016-06-29 - Vendor auto-opens two new tickets, ##7443584## and ##7443585##
2016-07-21 - Tenable confirms workaround fixes issue. Contacts vendor, removes extraneous ticket references, asks when it will be integrated into a release.
2016-07-21 - Vendor auto-opens ##3161231##, ##7453636##, and ##7453637##
2016-07-22 - Vendor acks mail, says they will get an ETA on a real patch. ##2255088## injected into subject line in addition to other tickets.
2016-07-25 - Vendor says they will be releasing it as a patch, but does not provide ETA
2016-08-18 - Ping vendor for patch release status.
2016-08-18 - Vendor auto-opens ##7467301##, ##7467302##, and ##7467303##.
2016-08-18 - Vendor says a "high priority issue" being worked on, no patch yet.
2916-09-29 - Ping vendor for update.
2016-09-30 - Vendor replies, will check with development team
2016-09-29 - Vendor auto-opens ##7487592##, ##7487593##, and ##7487594##
2016-10-03 - Vendor replies, "We are working on this issue and this is currently in testing phase."
2017-01-19 - Ping vendor for update.
2017-01-19 - Vendor auto-opens ##2255088##
2017-01-31 - Vendor releases 9.0 Build 9241, does not notify us
2017-03-31 - Ping vendor for update
2017-03-31 - Vendor auto-opens ##8042429##
2017-03-31 - Vendor says the issues reported were fixed. Provides two internal tracking IDs and builds, no indication which ID tracks with the single issue reported.
2017-03-31 - Tenable asks for clarification.
2017-04-03 - Vendor gives generic "upgrade the app to latest build" advice, no clarification provided.
2017-04-03 - Tenable requests clarification again.
2017-04-04 - Vendor says they would like to discuss this on a phone call.
2017-04-04 - Tenable requests response via email.
2017-04-11 - Vendor gives fixing info for 9.0 and SD cross reference
2017-04-12 - Tenable asks about 9.1 tree fix
2017-04-15 - Vendor says it is not fixed in the 9.1 series
2017-04-18 - Tenable asks for 9.1 ETA
2017-04-19 - Vendor says they will not release hotfixes for 9.1