2014-11-10 - SQLi patch released (unknowingly fixing issue #2)
2015-02-10 - SQLi issue discovered
2015-06-22 - OpManager 11.6 released (fixing issue #1)
2015-06-23 - Vendor Informed via Web Form https://www.manageengine.com/manageengine-security-response-center.html 'Data added succesfully' but 'View Log Details' errored out.
2015-06-29 - Follow-up sent asking if different comms available, since no reply to last web form report.
2015-06-29 - Vendor human reply saying details did not come through originally, please re-send
2015-06-29 - Vuln details shared via email
2015-07-06 - Pinged vendor asking if details received, issues confirmed
2015-07-07 - Vendor confirmed receiving mail, asks for config information
2015-07-13 - Vendor sends new web.xml to resolve SQLi, asks us to confirm
2015-07-13 - Let vendor know the new web.xml appears to solve the issue fully
2015-08-20 - Ping vendor about final resolution status
2015-08-20 - Request CVE
2015-09-08 - Ping CVE about assignments
2015-09-24 - Request ID ##7283732 somehow injected into process
2015-09-24 - Vendor mail saying 3 of 4 issues fixed in 9.0 Build 9030
2015-09-24 - Tenable asks for clarification, as 9.0 Build 9031 was tested and found vuln. Asks for clarification on OpManager solution.
2015-09-24 - Vendor provides solution for enumeration issue to test
2015-10-06 - Tenable tests solution, does not resolve issue. Communicated details.
2015-10-06 - ManageEngine sends spam offering ServiceDesk Training
2015-10-07 - Vendor provides second solution for enumeration issue to test
2015-10-12 - Tenable verifies the solution works on the latest minor build, asks what version will fix
2015-11-24 - Tenable asks again for fix version information
2015-11-24 - Vendor replies "latest version", Tenable asks which version first fixed
2015-11-29 - Vendor says read changelog, which doesn't clearly show fixes.
2015-11-30 - Tenable asks for SPF tracking numbers to compare to changelog.
2015-12-09 - MITRE denies request for CVE due to "unusually high probability of being a duplicate or having abstraction issues"
2015-12-21 - Tenable asks for SPF information again
2015-12-22 - Vendor asks for Support # (the ones carried in the email subject, but we reply anyway)
2016-01-11 - Tenable asks for SPF information again
2016-03-15 - Tenable asks for SPF information again
2016-03-15 - Auto reply assigning ##2453700
2016-03-18 - Tenable emails a new security contact asking for help resolving this
2016-03-19 - Zoho security team will follow-up, gives us better reporting address
2016-03-21 - Vendor replies they are looking into it, and XSS issue was assigned SD-62587
2016-03-21 - Vendor provides workaround for XSS issue for us to test
2016-03-30 - Tenable tests several revisions, verifies all issues are fixed or a workaround is available. Tells vendor to close the three tickets.
2016-03-31 - ##2255088 closed
2016-04-18 - ##7283732 closed