Re: Might be a good plan but....
Indeed… I think something like Google's Project Zero is closer to the mark. Vendor is contacted, a period is given to come up with a fix, then the bug is publicised after a fixed period.
Maybe have the ability to extend it by a maximum of a month if the vendor negotiates it. (That's where they went wrong in the case of Microsoft recently.)
If you report something, then don't hear from the vendor, I think it reasonable to go public with the details, and 14 months is more than long enough!
