I have a remote DOS and possible code execution on one of the world's most widely deployed desktop applications. Their security team has been on top of it (got back an initial human response and responsible team member within 48 hours, etc), but the nature of the beast means that all subsequent steps take weeks to months. I can't remember off the top of my head, but I think we're at 4 months and counting.
Professional courtesy suggests I should not confirm nor deny that. Let's just say that AmaGooBookSoft all have surface areas larger than the Death Star, and it is highly, highly unlikely that any of them have found all the exhaust ports yet.
