[VIM] what is "responsibly disclosed" to you?

[security curmudgeon]

We're all (overly) familiar with the full disclosure debate. Moving past 
that, assuming that a researcher warns a vendor before publishing, what 
exactly makes it responsibly disclosed?

Notifying the vendor? Is a timeframe part of this? (ie: not 2 hours before 
release)

Not publishing exploit code?

Providing a work around, interim solution, or vendor solution?

If you had to mark each vulnerability in a database as responsibly 
disclosed or not, what criteria would you use?