Critical remote exploit not fixed by developers in 6 months?

Ref:

http://securityreason.com/exploitalert/5095

Advisory: Openfire Server Multiple Vulnerabilities
Advisory ID: AKADV2008-001
Release Date: 2008/11/07
Revision: 1.0
Last Modified: 2008/11/07
Date Reported: 2008/05/17
Author: Andreas Kurtz (mail at andreas-kurtz.de)
Affected Software: Openfire Server <= 3.6.0a
Remotely Exploitable: Yes
Risk: Critical (x) High ( ) Medium ( ) Low ( )
Vendor URL: http://www.igniterealtime.org
http://www.jivesoftware.com/
Vendor Status: No patch released yet.
Patch development time: N/A

History:

2008/05/17 - Vendor notified using sales@jivesoftware.com
2008/05/18 - Vendor notified using gaston@jivesoftware.com
2008/05/20 - Vendor response
2008/05/20 - Detailed vulnerability information sent to the vendor
2008/05/21 - Vendor confirms the vulnerability
2008/08/18 - Asked vendor for up to date information regarding the
reported issues
2008/10/18 - Again asked vendor for up to date information regarding the
reported issues
2008/10/31 - Informed vendor of planned advisory realease on 2008/11/05
(no response)
2008/11/07 - Full technical details and recommended measures released to
general public

Openfire security vulnerabilities

Bug in JIRA

http://www.igniterealtime.org/issues/browse/JM-1489

Discussion about Community Contribution