A customer has found a serious security flaw in my software, over a year after their support period has ended. Should I provide a free update?
The upgrade price is substantial, so I don't want to just give them the latest version with all its new features. But that means I have to back-port the fix into the ancient version they have.
I assume your software is of a type were security is an important concern. In general, I would say:
Benefits of Free Update:
-One happy customer
-No time spent on backporting
Costs of Free Update:
-You miss out on $X (price of upgrade)
So it comes down to whether the amount of time you spend backporting is worth $X.
If your previous version is still a supported version (for any customer), then I would expect a vendor to offer the security fixed version to customers with a current support contract, and also the customer(s) that have reported the issue, as an act of good faith. If it would be possible to invest a little effort in giving them the latest version with the new features on a time limited trial for free, then that would be ideal, as they may even choose to upgrade
If that version is no longer supported, and the issue hadn't been found and resolved in a later version, I would consider offering some form of discounted upgrade deal (maybe give them 5 user licences free for the next version, or even a straight discount)
In either situation, customer satisfaction is key -- they've already helped you, so if they don't feel they get rewarded, they may spread bad feeling about your product (maybe in conversations with other vendors whilst looking to replace your product).
It may also be worth reviewing your internal business processes to reduce the impact on reverse integrating later security fixes into earlier versions, and other aspects of configuration management that would allow you to build historical versions as well as current and future.
Do the right thing and keep your customer happy. You could offer them a discount on the upgrade or simply fix the security flaw and move on.
Security updates should definitely be free. First of all it's quite bad that you have a security vulnerability, it's horrible if you can sleep well by knowing that you put your client in danger and left them like that unless they pay you (If I were a client like that, I'd quite upset and in first possible instance would replace the software with a competitor ).
The problem of fixing an old version is hard, that's one of the reasons we charge clients mandatory support fee every year and give all updates for free, which saves us this headache.
If I were you I'd go back and fix that release and then inform all clients in that release about this update, also you might even convince some of them to update the latest version.
Don't ever even think about not informing all of your clients in that version because it's possible to wake up a morning and learn that 75% of your clients got mass-hacked in one night. That's not a good publicity.
P.S. Assuming your old version is not too old, for example it's normal for MS to not release an important bug fix for Windows 95. I know it's a whole different game but still..
In short: yes.
The actual answer is that you must keep a maintenance branch in your source repository for every major release, and better make sure it can be built. This way you can provide security or bug fixes to your existing customer base without giving away new versions to non-paying customers.
Always have in mind that non-paying customers are still customers!
Depends on what you are selling of course. If you are selling Viral Killers then charging for upgrades is how you make your money.