There are norms for this type of thing. Normally a few weeks is the minimum that people are expected to give.
At worst they don't fix it in a timely manner. And at that point giving them a heads up that you're about to publish. Then you can publish the bug, the timeline and communications, which should serve as a ref flag to their users, government regulators and the community.
However, you need to bear in mind publishing before they fix the issue puts existing users at risk by publicizing a flaw that can be leveraged by bad guys. You need to weigh this against any slowness to fix the issue (99.99% of companies will fix the issue). Protecting users can be a tricky line to walk in this scenario.
Also, Security fixes might seem simple from the outside, but there might be hidden complexity or dependancies that you don't see. Or worse your report is only the tip of the ice berg and there is a much larger issue that they will have to tackle all at once (and the company won't share these related issues in order to protect their users and reputation).
Giving them the extra time will achieve the goal of getting the bug fixed and protecting users. If you suspect the bug is actively being exploited you can always email them and share your concern/frustration with the timeline.
My core advice is try your best to communicate with the company and inform them of your thoughts and concerns.
At worst they don't fix it in a timely manner. And at that point giving them a heads up that you're about to publish. Then you can publish the bug, the timeline and communications, which should serve as a ref flag to their users, government regulators and the community.
However, you need to bear in mind publishing before they fix the issue puts existing users at risk by publicizing a flaw that can be leveraged by bad guys. You need to weigh this against any slowness to fix the issue (99.99% of companies will fix the issue). Protecting users can be a tricky line to walk in this scenario.
Also, Security fixes might seem simple from the outside, but there might be hidden complexity or dependancies that you don't see. Or worse your report is only the tip of the ice berg and there is a much larger issue that they will have to tackle all at once (and the company won't share these related issues in order to protect their users and reputation).
Giving them the extra time will achieve the goal of getting the bug fixed and protecting users. If you suspect the bug is actively being exploited you can always email them and share your concern/frustration with the timeline.
My core advice is try your best to communicate with the company and inform them of your thoughts and concerns.