I reported a security vulnerability. Now what?

I recently discovered a vulnerability for the first time. I found the product’s security contact and sent some information. Ideally they will respond acknowledging the issue and provide a timeline for a patch.

What if that doesn’t happen? How long is appropriate to wait before following up? When do you promise public disclosure? What if they disagree that it is a vulnerability?

Is there a guide for reporting vulnerabilities somewhere? I thought I’d be able to find one but I wasn’t able to. A resource like that would be handy.