[tialaramex]

> I think that the author should have scheduled disclosure sooner.

Yup. Ninety days is fine. More people should choose ninety days up front and not allow themselves to be strung along indefinitely.

Project Zero actually has granted two exceptions to their policy (out of well over a thousand cases), both to rival companies (Apple and Microsoft). On the whole I would say you should resist doing this, just set the policy and reap the consequences whatever they might be. If somebody's $100Bn company burns to the ground because they couldn't get their shit together for three whole months too bad.

[staticassertion]

The problem is that you hurt a lot of users a long the way in extreme cases.

[TheDong]

It's not you that hurt the users, it's the company for not being able to competently route, schedule, and fix their issue.

The reporter is only to blame if they actively exploit the vulnerability in order to harm users, not if they publish it publicly, with or without advanced notice to the company.

[vlovich123]

Or the bug fix can be hard to implement, test, and release in 3 months. I’m not saying it’s the majority of bugs but these could qualify

[dependenttypes]

I would argue that 90 days is 90 days too long. It should be 7 days at most.

[Thorrez]

Should Google Project Zero also switch to 7 days?

[dependenttypes]

No, it should switch to 0 days, that will fit with their name too.

[AdamJacobMuller]

I was thinking about how I would handle it, were I in the same situation and I think I came upon a decent idea.

1) 90-day disclosure initially 2) assuming communication, I would agree to extend for another 30 days 3) 15 days more 4) 7 days more 5) 3 days more 6) 1 day more 7) 12 hours 8) 6 hours 9) 3 hours 10) 1 hour 11) publish

More work for me, sure, but it doesn't drag out things indefinitely and i think it would have (at the later stages) created a sense of immediacy to get this fixed.