Software developers should never take reports of security vulnerabilities lightly. But to ignore a vulnerability to the extent that you won't even commit to a timeframe to fix it is utterly irresponsible.
That's how Google information security engineer Tavis Ormandy saw it, at least. So when Microsoft hemmed and hawed at the critical security bug he discovered in the Windows XP help system, Ormandy took matters into his own hands. He published a full description of the vulnerability to the Full Disclosure security mailing list, including proof-of-concept attack code.