See, it works
You give a company a deadline, and when that deadline passes, you expose their flaws...and then they'll issue a patch.
Google has patched a vulnerability in the Google Admin application that could allow attackers to steal enterprise accounts. MWR Labs researcher Rob Miller reported the sandbox-hopping hole, rated medium severity, which can be exploited by malware residing on a user's device. The flaw can be used to steal Google for Work …
No, if you can't agree on a deadline (or equivalent criteria; sometimes there might be a dependence on a third party, like submitting a patched version to the Apple App Store then having to wait for Apple to approve it so users can actually install it) - release it straight away, because they're not engaging properly.
Anything other than agreeing to expedite a fix with a reasonable timescale sounds too much to me as if they're planning to hide it instead - so if you don't disclose ASAP, you'll probably find their lawyers trying to bury you instead. Every day you delay disclosure is another day they might be using to get a court injunction to gag you about it, as Ross Anderson's guys at Cambridge University have encountered in the past.
Biting the hand that feeds IT © 1998–2019