Real damage could be done in such a short timeframe and really XSS bugs are not rocket science when it comes to fixing them. So why all this delay and what is to investigate here? The few unfiltered variables in the page's source code? The overall testing should be performed after the immediate remediation of publicly known security issues.
Additionally, six more XSS vulnerabilities affecting regional Vodafone web sites, were reported by "
Azat Harutyunyan":