I'm very sad but somewhat not suprised to hear that you as a "supposed security vendor" are not familiar with the term defense (or security) in depth. This is one of the basic security principles when building secure systems. In a nutshell, security of a certain system must not be dependable on a single component whose failure would cause compromise of the system. Instead, security must be built in from the start and in each in every component.
That's exactly what you failed to provide.
You're entirely wrong when you say "most vendors don't bother to protect their drivers from being accessed by any program" - that's simply not true, at least for the drivers I mentioned in my previous post. Some security applications (I won't name them) have no authentication scheme, yet they are very secure, and their functionality is very similar to that of SAS. How is that possible? Because they use entirely different architecture/design and methods of reporting to user mode regarding critical functions, and don't have simple programming mistakes that your drivers do have.
And Nick (I won't put it into quotation marks), you're actually wrong about entire "all functions in our driver are not accessible without authentication - PERIOD" part. I'm sure you'll delete this part, but you'll read it anyway, so it's worth writing - what if someone injects a new thread in SAS process? Thread (i.e. code) would run in SAS context, thus being registered with the driver and could exploit all vulnerabilities I discovered. SAS does not prevent thread injection, at least not in free edition. Your "authentication scheme" is useless here, since that thread would come from an already registered process. Think about that, I think I gave you a valuable advice.
I think I helped your customers more than you think. Since your "fixes" between versions were inadequate, and since you rejected my help, publication of my advisory is probably going to persuade you to fix your program correctly this time. I think the time was well spent.
Please, post here my e-mail where I "clearly said I will NOT publish the authentication scheme to the driver". I'm certain you won't be able to post it, since I never said that. I said that:
Since you failed to reply to my e-mail and were considering me a nuisance and extortioner, I changed my mind and published the advisory. I believe I had every right to do so, since you failed to follow procedure specified by the policy.
It would be great if you actually cared for your customers instead of caring only for your company - you never mentioned customers in your replies, and I believe they are the most affected ones, not your company.