This process was developed/implemented by HexView
a few years ago (I worked for them at that time):
Whoever finds the vulnerability likely has enough knowledge to roughly estimate what it takes to fix it and test the fix. He/she supplies all details to the vendor and gives them a hard time frame, e.g.: "I will release this data to the public 30 days from now". At the same time, vulnerability alert without details to prevent/delay re-discovery may be released to the public. If the vendor fails to resolve the vulnerability in a timely manner -- too bad, you were given enough time for fixing and testing.