[tomiko_nakamura]

If you define a limit for disclosure, and then not stick to it, why to define a limit in the first place? 90 days is more than enough - if MS has a lot of internal overhead, you should probably complain to them, not to google.

[Beltiras]

If contacted by the other party and they give a good reason (in this case: "We have a fix, it's slated for release in line with other things on tuesday"), I think a responsible security researcher should give that time. If patch day rolls around and no production, go ahead and shame. This is not a case of overhead, MS world functions a bit differently from package management in Linux.

[majc2]

"Our objective is to significantly reduce the number of people harmed by targeted attacks." (http://googleprojectzero.blogspot.co.uk/2014/07/announcing-p...)

They've lost sight of this noble objective with an inflexible policy; who anointed Project Zero guardians of the internet? Why not wait the two days? cui bono?