At the end of 2011, Microsoft released the MS11-100 security advisory (which basically means number 100 in 2011, which is quite a lot, actually). The title of the document, available at http://mng.bz/pOXK, sounds pretty dramatic: “Vulnerabilities in .NET Framework Could Allow Elevation of Privilege.” And, indeed, it was dramatic. In early October of that year, security researchers found a security vulnerability in the built-in ASP.NET user management features. Basically, it was possible to log into an application as an arbitrary user.
The security researchers’ writeup (http://mng.bz/44RR) is an interesting read. According to their description of events, six weeks after reporting the vulnerability, they asked Microsoft for a status update; according to the case manager, an update was expected in February or March, so 4 to 6 months after reporting the issue.