The RFPolicy states the recommended way to contact a vendor about security vulnerabilities in their products. It is written by Rain Forest Puppy, and is in no way a definite guide. It is his recommended policy, and both the full disclosure community and most vendors seems to like it. Someone, help me out NPOV'ing that

The policy basically gives the vendor 5 working days to respond to the originator of the problem.

If no contact is made by the vendor to the originator in 5 days, the issue is recommended to be disclosed to the general community.  The originator should help the vendor to reproduce the problem, and to work out a fix.
The originator should delay notifying the general community about the problem if the vendor provides feasible reasons for requiring so.

If the vendor fails to respond or shuts down communication with the originator of the problem in more than 5 days, the originator should disclose the issue to the general community. The vendor should give the originator proper credits about reporting the bug, when issuing an alert / fix.


External links: