C2IT.com has fixed the flaws I published. Let's see, That's 3 months and nothing for quietly trying to get them to fix things vs. 36 hours after getting picked up by media and it actually getting fixed. Does the media have a special security hotline to call, or do companies only fix things when pressed? (please excuse the pun) So, tell us, are you for public disclosure? Update - another Citibank site has been posted to my list of exploitable sites, along with a few other high profile sites.