@siderea Ethical disclosure seems to be at least 90 days. While a vendor could ideally develope and release a remediation in that time, they may, in some cases want more. If so, they should reach out to the person who reported it, to indicate they are working on a fix, and asking for more time before disclosing. As others suggest, this is a common time frame, but won't necessarily insulate you from the ire, and legal tantrums of, the vendor you've disclosed to.