( name withheld to protect the vendor)

What interest do you really have in protecting the vendor? If you found this with a simple port scan, it is likely that the vendor is already aware of it. You might research a bit to see if it is already a known issue. Sadly, many vendors don't act very quickly on problems like this unless pushed to do so.

I will also be notifying the vendor but I want to spend a few more days looking at this.

If you really feel this is a security vulnerability, and it sounds like it could at least be a DoS vulnerability, you should do the community a favor and report it immediately. There is no good reason to wait. My suggestion is that you fill out CERT's Vulnerability Reporting Form in addition to contacting the vendor. Let the vendor know you filled it out.

I am not advocating that you make it public although some might argue the merit of that approach.

-sauoq
"My two cents aren't worth a dime.";