A rare insight to the change management problems caused by vulnerabilities disclosed by 'security researchers' is provided by the CSO of Oracle. She argues that although fixing an identified problem may only take a few minutes, it can be far more involved. Furthermore, she claims there are customer-friendly reasons for delaying the release of fixes [which seems just a tad far-fetched to me]. She also admits that one quarter of security fixes are a result of information provided by third parties, an amazing fact given that Oracle has complete 'glass box' access to its own source code and the best Oracle professionals on the planet at its disposal.
More change management resources