Interesting read on The Register about
a cross site scripting bug on Worldpay. Then a lot of comment about whether it was fixed quickly enough!
He tested it on their live site and confirmed it worked - and then emailed them the details of the problem. He apparently got no response.