Learn to follow orders dammit! … To their conclusion!
The other day I mentioned Patriot Outfitters, a tactical gear vendor that sells things like holsters or compression shorts. They had the cheapest prices on Zensah compression shirts, but a slight SSL flaw (mainly not actually using it).
First off, the flaw only affected the order form presented after creating a new account. That doesn’t itself present as much of a problem; it still leaves first-time buyers vulnerable (usually), but only the first time, leaving a really small window of attack.
The problem came from a mistyped macro in a CGI program. Patriot Outfitters IT got back to me in 1 day, with the problem already fixed and a nice thank-you note. No bite on my offer to have my employer contact them to offer security services, but at least they have slightly better security. Really I’d love to go at that place and see what they have out of place, but looks like it won’t happen; so from my viewpoint, every flaw I saw got fixed.
On a related note, they packaged and shipped my order 30 seconds after I placed it. FedEx had a tracking number 10 minutes later. Good times.