holding the vendor accountable
Background: One of the most important aspects handling vulnerabilities is notifying the vendors of their existence in their products and working with the vendor to ensure that they are either fixed or mitigated, as well as holding the vendor accountable for addressing the vulnerability.
Address the following scenario:
Being in charge of information security of a nuclear facility that happens to have industrial controls systems with a recently discovered vulnerability. You are tasked with setting up a vendor vulnerability notification system with the ability to track vulnerabilities, along with the resolution. Besides that, you also setup a reminder system to keep track of dates to hold the vendor accountable during the resolution process. One of the vendors of a critical industrial control system, chooses not to follow through with patching a critical vulnerability due to its cost. However, your product security team believes that this vulnerability can be patched, if the vendor was willing to invest the resources to do so and there are no other forms of mitigating controls to protect this system.
How would you hold this vendor accountable for not addressing this vulnerability?
Besides what has been stated, what else could possibly be done, especially if the vendor was negligent in terms of quality assurance testing prior to the product release?
Support statements with scholarly sources.