So whatever happened to that 90 day rule? I thought people who found these sorts of exploits were supposed to tell the vendors/maintainers, and given them 90 days to get the patches out (and in this ...