Hello everyone, I hope this is the right place to post this. Several months ago I accidentally discovered a bug in QuickTime 7.6 for Windows. I was working with some videos and one particular file caused the player to crash. I should mention that I'm a total n00b when it comes to security vulnerabilities, but nevertheless after some research I managed to identify a particular feature that was responsible and then managed to reduce the file to less than a kilobyte while still crashing QuickTime. Please note that I'm not going to disclose the bug in full details here - just so you get the overall picture. Now, everybody knows that crash ≠ vulnerability ≠ exploit. However, based on the nature of the bug, it looks like a classic buffer overflow, so it is most likely exploitable. Of course, even with that knowledge I probably won't be able to construct the exploit myself (I have downloaded IDA Pro, but don't even know where to start looking for vulnerable code). Because, thankfully, black-hat hacking is not my full-time job, and being a responsible citizen, I reported the issue to Apple via bugreport.apple.com about ten weeks ago. I described it in full detail and attached the file, so obviously Apple engineers had all the necessary information to identify and fix the bug. Quite soon I received a canned response that my report was reviewed by security analyst and the issue is being investigated. Quite soon (June 1st, to be precise) Apple released QuickTime 7.6.2 with tons of bug fixes and security patches. Surprisingly, the fix for the issue I reported wasn't one of them, even though most of the fixed vulnerabilities are quite similar buffer overflows. Given the description of the bug, most of you would probably agree that it should be not very difficult to fix. So is Apple being responsible? Are they concerned about the security of millions of computers that have QuickTime installed, or are they just dismissing this bug as less important and not planning to fix it until much later? So what do you guys think - did I do the right thing? maybe I should have posted the bug to the security mailing list, such as Bugtraq, or contacted some security gurus who know how to handle it better?