As far as I can tell, only the first issue was fixed. Is the XSS issue fixed as well? There doesn't seem to be any acknowledgement of a fix on the page after that's mentioned.
Perhaps the employee considers the reported vulnerability in the extension resolved and the XSS issue was just a side note. I'm sure a lawyer could argue that Google is in full compliance with its policies which are probably noted in a EULA and T&C as being subject to the discretion of Google employees.
Ostensibly the 90-day window is to protect everyone, not protect companies. It gives them time to develop and test a patch which is good for all users of the software. It's not to give a company mishandling security more time to be idiots. Especially a security company. Better that users get the information to act on immediately.
Ostensibly the 90-day window is to protect everyone, not protect companies. It gives them time to develop and test a patch which is good for all users of the software. It's not to give a company mishandling security more time to be idiots. Especially a security company. Better that users get the information to act on immediately.