2015-09-23 - Issues discovered
2015-09-23 - Issues reported to vendor via
[email protected] as the security response center page doesn't allow attachments
2015-09-23 - Automated reply from ManageEngine, ##2453571## and ##2453700## created
2015-09-24 - Vendor acknowledgement from RB on ADSolutions Team. Asks to confirm testing latest build.
2015-09-24 - Confirm test was against latest build, reply to vendor.
2015-11-04 - Vendor says all issues addressed, will be in future build. No ETA at this time.
2016-02-17 - Ping vendor for status
2016-02-18 - Vendor says 4.6 Build 4600 is latest, doesn't specify if that fixes the reported issues
2016-02-18 - Ping vendor asking for confirmation it fixes all reported issues
2016-02-19 - Vendor says will check with product team.
2016-02-22 - Vendor confirms 4.6 Build 4600 fixes the issues we reported.
2016-02-22 - Ping vendor asking how Build 4600 fixes issues in Build 4681 that we reported, perhaps they meant 4690?
2016-02-22 - Vendor confirms 4.6 Build 4690 fixes the issues we reported.
2016-03-14 - Re-tested original issues against Build 4690, all still present
2016-03-15 - Vendor follow-up mail asking if app meeting our needs "with the fixes"
2016-03-15 - Reply to vendor informing them not a single issue was fixed
2016-03-15 - Vendor replies, will update Dev team of our note
2016-03-18 - Tenable emails a new security contact asking for help resolving this
2016-03-22 - Vendor says CSRF not fixed yet, XSS and Priv Esc fixed in Build 4690 "for New UI"
2016-03-22 - Tenable responds, asks for ETA on CSRF
2016-03-22 - Vendor system auto assigns ##7392310## to our response.
2016-03-28 - Ticket ##2453700## closed without explanation.
2016-03-30 - Tenable asks security@ what is going on with ticket. Report to them Build 4690 fixes NONE of the issues originally reported. Send them additional pages affected by XSS.
2016-03-31 - Vendor says CSRF ETA end of 2nd quarter, XSS and Priv Esc fixed in Build 4690 "New UI" still exists in "Old UI"
2016-04-06 - Tenable tests "New UI", CSRF appears fixed. XSS still vulnerable with trivial modification to payload. Report to vendor.
2016-04-07 - Vendor sends patch for 4690 / 4691, "included in our next release"
2016-04-11 - Vendor sends marketing mail announcing Build 4691 release. No mention of security fixes.
2016-05-18 - Vendor replies asking if everything is OK with application
2016-05-30 - Tenable sends simple PoC showing still vulnerable, regardless of UI.
2016-05-31 - Vendor replies, says fixed in 5.0 Build 4693.
2016-05-31 - Automated reply from ManageEngine, ##7428643## assigned. Second reply asking what our issue is.
2016-05-31 - Tenable asks for a copy of Build 4693 to test.
2016-06-10 - Vendor sends form letter asking for "detailed description of the issue".
2016-06-17 - Vendor sends second form letter asking for "detailed description of the issue".
2016-06-22 - Vendor informs us their request IDs start with '7' and to verify our ticket number.
2016-06-27 - Vendor says they have not heard from us, closes ##7428643##.
2016-08-18 - Tenable assumes we won't get the new build to test.
2016-10-26 - Tenable confirms all vulns are still present on 5.0.0 Build 5000
2016-10-29 - Tenable mails vendor with new details, provides timelines
2016-10-29 - Vendor auto-opens ##7501901##
2016-10-31 - Vendor says info forwarded to Dev. The upcoming release will make the Old UI "not available".
2016-12-?? - Vendor releases 5.0 Build 5020
2017-01-19 - Ping vendor for update
2017-01-19 - Vendor auto-opens ##2453700##
2017-01-20 - Vendor responds that version released in Dec restricts old UI and vulnerable links
2017-01-20 - Vendor also responds they will look into our request
2017-01-20 - Tenable asks which version specifically fixed these issues
2017-01-23 - Vendor confirms build version 5020 fixed these issues