The RFPolicy states a method of contacting vendors about security vulnerabilities found in their products.
It was originally written in 2000[1] by hacker and security consultant Rain Forest Puppy.
[3] The policy gives the vendor five working days to respond to the reporter of the bug.
If the vendor fails to contact the reporter in those five days, the issue is recommended to be disclosed to the general community.
The reporter should delay notifying the general community about the bug if the vendor provides feasible reasons for requiring so.