->
->> Why is that bad? I have no objection to giving vendors a reasonable
->> amount of time to fix problems before announcing the whole.
-> Or is your
->> point that two days hardly seems like enough time to develop -- and
->> *test* -- a fix?
HMMM,
If I was a real hacker, and I found the problem, might I also know the fix?
And if I was really nice, would I give that fix to the vendor?
Or could it be that a former Checkpoint employee is now an ISS employee?
Or .....?
J
In my experience, CP does not exactly have the best track record for
fixing problems. When I've informed them of vulnerabilities in the past
I've heard everything from "Well you would not have that problem if you
used the product the way it was intended" (remote overflow), to "we'll
fix that problem in the service release coming out 3 months from now
(DoS script kiddies were using against multiple sites, tool in the
wild).
Some vendors are slow no matter what you do. 
C