12/11/2018 - Disclosed to vendor. 90-day date is 03/12/2019.
12/12/2018 - Verizon Incident Response Team replies saying that the Python attachment was blocked. Tenable is asked to follow up with our point of contact.
12/12/2018 - Tenable replies, stating that we do not have a point of contact. We ask that our message is routed to the proper person.
12/14/2018 - No response was received from Verizon. Tenable follows up to determine the proper way of communicating.
12/14/2018 - Tenable receives an automated reply, assigning a reference number of 2018121418229.
12/14/2018 - Tenable receives a human response, indicating that we may send our disclosure and PoC. The 90-day date is moved to 3/14/2019 as a professional courtesy.
12/14/2018 - Tenable resends the disclosure and PoC.
12/14/2018 - Tenable receives an automated reply, assigning a reference number of 2018121418773.
12/14/2018 - Verizon contacts Tenable to ask for PoC.
12/14/2018 - Tenable resends the PoC again.
12/14/2018 - Verizon acknowledges they have received the PoC.
12/14/2018 - Verizon indicates that the command injection has been validated. They have opened a ticket with their vendor to address the issue, and they will send a follow-up email once a fix is confirmed.
12/17/2018 - Tenable asks if the other two bugs have been validated.
12/19/2018 - Verizon responds that the other two bugs will be "officially" handled by another group. In an unofficial capacity, these bugs were previously identified and on the roadmap to be remediated. The RCE was new, though.
12/19/2018 - Verizon responds again: "Verizon has examined the data provided and we are actively working with our engineering teams and vendor to evaluate and, as appropriate, address the reported vulnerabilities in a timely manner."
12/19/2018 - Tenable asks Verizon to keep us in the loop with any updates.
01/04/2019 - Tenable asks for an update.
01/04/2019 - Vecirt says they are still testing and validating the report. They will "take appropriate actions, including making required updates in a timely manner, if needed."
01/04/2019 - Tenable reaches out to another contact, hoping to gain more insight.
01/22/2019 - Tenable follows up: reminds Verizon of 90 date, asks for an update, and asks for preferred direct contact.
01/23/2019 - Tenable informs Verizon that CVE-2019-3914 through CVE-2019-3916 will be assigned for the discovered vulnerabilities.
01/23/2019 - Verizon responds. They are "still testing and will take appropriate actions, including making required updates in a timely manner, if needed." They will "have a response for the public report before the March 14, 2019 date."
01/24/2019 - Tenable asks if Verizon has a particular date in mind.
01/29/2019 - Verizon does "not have a specific anticipated date of completion." Nevertheless, they "certainly plan to continue providing updates to you as our validation and testing efforts progress, and are completed."
02/13/2019 - Tenable asks Verizon for an update.
02/19/2019 - Verizon says the bugs will be fixed in firmware version 2.2, and it will be deployed in the near future.
02/19/2019 - Tenable asks when version 2.2 will be deployed.
03/01/2019 - Verizon pushes firmware version 02.02.00.13.
03/01/2019 - Tenable notifies Verizon of intent to publish a research advisory prior to 3/14. Asks if Verizon plans to issue an advisory.
03/01/2019 - Verizon notifies Tenable that firmware updates are pushed in small batches, and the process won't be complete until March 13. Tenable is asked to delay an advisory until March 14th.
03/01/2019 - Tenable acknowledges the request and asks if Verizon plans to issue a security advisory.
03/04/2019 - Tenable agrees to wait until the 14th. Asks again whether Verizon will issue a security advisory.
03/05/2019 - Verizon says they will not issue an advisory. They will notify Tenable when the firmware update is fully deployed.
03/13/2019 - Verizon notifies Tenable that firmware updates have been fully deployed.
04/05/2019 - Verizon informs Tenable that a small percentage of their customers still need to be patched against these vulnerabilities.
04/09/2019 - Tenable releases the research advisory.