What is more concerning, in this case, is the vendor’s absolutely unacceptable response time(‘last fall’ and still no resolution? For a ‘security’ product? Pitiful); and the flavor of vulnerability.
“Hey, let’s see if that field can handle atypically long inputs…” is among the most elementary ways of poking at something to see if it will fall over; and failing to validate inputs even for length(never mind escape sequences, unicode freakery, etc.) suggests that somebody didn’t know, didn’t care; or both.
Even if those are actually, by some miracle, the only flaws, the response time is inexcusable; but when somebody bungles a really, really, basic aspect of hardening the system; you have to wonder what other exciting surprises are lurking, waiting to be discovered.
