Interesting story on CNET: Mozilla: Hackers control bug disclosure.

From the Security-Assessment.com perspective, we don’t sell our research to product vendors. We do it for the security community and aren’t that keen on helping some of these dudes flog their gear.

The 30 days is probably not workable all the time…….but hey, set a benchmark and then assess each scenario on its merits if the deadlines are not met. We’ve had instances of vendors taking many months……but ultimately it needs to be judged in whose interests the disclosures are made.