When we find a vulnerability, we notify the vendor privately and allow a reasonable window for remediation before any public disclosure.
Reasonable means exactly what it sounds like. We're not in a rush, but we're not infinitely patient either.
If a vendor is actively working the problem, we'll work with them. If they're ignoring it, the clock is ticking.
The security community and the public have a right to know about vulnerabilities that affect them, balanced against giving vendors a fair chance to fix things first.
If you've found something that concerns one of our systems, we'd genuinely like to hear about it.
Encrypt to our public key and send to labs at… you know the rest.