[brazzledazzle]

Perhaps the employee considers the reported vulnerability in the extension resolved and the XSS issue was just a side note. I'm sure a lawyer could argue that Google is in full compliance with its policies which are probably noted in a EULA and T&C as being subject to the discretion of Google employees.

Ostensibly the 90-day window is to protect everyone, not protect companies. It gives them time to develop and test a patch which is good for all users of the software. It's not to give a company mishandling security more time to be idiots. Especially a security company. Better that users get the information to act on immediately.