After getting ignored even when the FBI got involved? What would be the right way then?

Probably through your lawyers.

_their_ lawyers, I guess. Which would be paid out of their own pockets?

Anything else bothers you about this story? Because how they chose to contact Atrient seem like the very unimportant detail in all this.

I'm bothered by people being assaulted just as much as most of the commentators here. Just because I'm not parroting the same "wow Atrient is bad, security researchers good" message doesn't mean my comment is not valid.

Obviously a security researcher that has reported an issue wants to have a healthy dialogue with the company and see that the flaw is patched in a reasonable time frame. But lets not pretend that we have all the facts here. Were they in the middle of an internal investigation? If that investigation showed that there was nobody actively exploiting this issue, doesn't Atrient have the right to patch this vulnerability on their own timeline rather than the researchers?

> ...doesn't Atrient have the right to patch this vulnerability on their own timeline rather than the researchers?

Sure, but you can't expect a third party to just stay quiet on the subject for as long as you drag your heels.

> nobody actively exploiting this issue

No segmentation and plaintext communication literally means this would highly difficult to prove.

Don't these security researchers have the right to go to a conference and talk to other attendees?

It takes days to turn around an NDA. If months have passed, the vendor is obviously stalling.