Hmm.
Those are some long fix times. Good of them to hold the talk off, but that also takes the pressure off SAP to fix. One hopes they're not taking it easy as the fix isn't public, especially as it's not just Black Hats, but government agencies now that you have to worry about using unreported vulnerabilities...