Secunia security advisory categorises it as "less critical" : http://secunia.com/advisories/20342/ I'm not going to argue with experts - our categorisation of the risk level stays as it is. Original report (which has been edited) claimed it was a remote exploit - this is false, and seems to have only been included in the report for added sensationalism. There is nothing sensational here. The only vulnerability is that an authenticated user may be able to run a Crystal Report which could possibly reveal sensitive information, should they have the skills to construct such a report. Only information at risk is the information contained within the Jiwa database, nothing else - no other SQL database, no files on the filesystem. Bug # 4186 in our system addresses this report redirection vulnerability. As of 5pm, Thursday June 1st, 2006 a patch for this is available for customers and dealers from our website, www.jiwa.com.au. Password encryption is a todo feature logged way before this was reported. No promise was made. My exact words were : "...I don't like to comment on un-released products, as changes are sometimes withdrawn before release, which can result in disappointment. However, I feel some information on where we are heading may do something to at least partially reassure you that we are making changes to the security within the product..." I then went on to cover a number of topics, including password encryption, and provided a URL to our bug tracking database for Robert to see all we were doing in the software. Does a company which does not care provide someone like Robert with a URL to their internal bug tracking database ? Robert, I strongly suggest you remain factual in your reports in future. We will not tolerate vexatious complaints or threats (care for me to quote some of your emails to me, here in a public forum ?).