NMRC Disclosure Policy

The old disclosure policy (first established 1998) had a disclosure period of 30 days. In that, if we didn't hear anything from a vendor after 30 days we would go public. However the current standards adhered to by most researchers and organizations is 90 days, so that is our basis. Therefore, the following:

If we find a security flaw, hole, or bug in software, firmware, or hardware, we will contact the vendor with a formal notice via email. A written record is a must. Vendors (especially IoT vendors as you seem to be the worse at this), a point of contact should not be a chatbot on your website, we'd prefer to work with a human being.
While we may contact you first to find the right method to report security flaws, the 90 day "clock starts ticking" with the formal notice.
We will not wait until the end of the 90 days if you state that the problem doesn't exist or is in fact a "feature" of the product. We may disagree and try to point out how we think we are right and you are wrong, but if you're convinced we are wrong we will go ahead and publish our work.
We will work with you, and if we feel you are working to resolve the issues, we are more than willing to work with you, help where we can, and extend the 90 day deadline.
If you release a patch and are forthcoming that it corrects a security problem and it is a serious problem we will allow time for your customers to apply patches, possibly extending the 90 day deadline to accommodate a patching buffer zone. Otherwise we will be releasing our information at or close to that same time.
We will certainly alter this timetable if the problem is actively being exploited, if it was previously reported to the vendor, or if independently discovered by another individual who publicizes the information.
We are not in this for the money, so a "bug bounty" is not required. If your organization works through a bug bounty program, we will use that method of reporting. After operating costs, any bounties will be donated to a charity.
It is possible that the reporter who is reporting is using their nmrc.org email address, but is acting alone. While we encourage those types of reporters to adhere to this policy, they are free to make their own decisions, and will state their own "policy" up front when reporting. We don't control individuals' actions, we can just encourage.